1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: WINANTIVIRUS 2007 has attacked my computer !!

Discussion in 'Virus & Other Malware Removal' started by davidzane, Mar 12, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. davidzane

    davidzane Thread Starter

    Joined:
    Mar 11, 2007
    Messages:
    30
    i cant get rid of it, if anyone could PLEASE help i would be so gratefull.

    this is my hijack this log file

    Logfile of HijackThis v1.99.1
    Scan saved at 11:07:52 PM, on 3/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    C:\Program Files\PC Tools AntiVirus\PCTAV.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas23.exe" /minimize
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    :mad:
     
  2. crjdriver

    crjdriver Moderator

    Joined:
    Jan 2, 2001
    Messages:
    38,239
    I moved this to the security forum; you will get more help there with a hijack log.
     
  3. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    Here is some information regarding NewDotNet:
    http://support.microsoft.com/?kbid=302463
    Additional source:
    http://www.pchell.com/support/savenow.shtml

    I suggest you remove NewDotNet unless you deliberately installed it.

    First, please open Add/Remove programs and uninstall New.Net , NewDotNet, New.net Application, or New.net Domains from there if listed. If it is not listed, follow these instructions:

    From a computer that has Internet access, click on the following link:
    http://www.new.net/support/uninstall6_90.exe.
    · Download and save uninstall6_90.exe to the Desktop.
    · Go to the Desktop and double-click on uninstall6_90.exe
    · Click on the OK button.
    · After removal, you may be prompted to reboot. Please reboot even if not prompted.

    =================================

    Download RogueRemover from the link below.
    Unzip to a convenient location such as C:\RogueRemover.
    Navigate to the folder you unzipped the files to and double click on the file named RogueRemover.exe.
    Finally, select Scan and the program will walk you through the remaining steps.

    Compatible with Windows 2000, NT, XP

    http://www.malwarebytes.org/rogueremover.php

    ==================================

    Download Combofix and save it to your desktop.
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Note: It is important that it is saved directly to your desktop

    Close any open browsers.

    Double click on combofix.exe & follow the prompts.
    When finished, it shall produce a log for you.

    Post the ComboFix.txt in your next reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  4. davidzane

    davidzane Thread Starter

    Joined:
    Mar 11, 2007
    Messages:
    30
    first programs didnt find anything and when i ran combofix i got a blue screen saying something like, "windows has found a problem and has shutdown to prevent damage"
    and when i restarted my comp i got an error saying
    "RUNDLL
    Error loading C:\PROGRA~1\NEWDOT~2.DLL
    the specified module could not be found"
     
  5. davidzane

    davidzane Thread Starter

    Joined:
    Mar 11, 2007
    Messages:
    30
    oh and when i installed uninstall6_90.exe, when i clicked on it on my desktop, the icon would just dissapear and nothing happens, i've downloaded it and tried it 4 times, and it dissapears everytime
     
  6. davidzane

    davidzane Thread Starter

    Joined:
    Mar 11, 2007
    Messages:
    30
    ok, i got uninstall6_90.exe to work, my AVG anti spyware was protecting against it.
    however, that was obviously not the problem, still getting popups (mostly from anti spyware sites) and the comp is moving slooooow
     
  7. davidzane

    davidzane Thread Starter

    Joined:
    Mar 11, 2007
    Messages:
    30
    ok, got combo fix to work

    "david" - 07-03-12 22:55:48 Service Pack 2
    ComboFix 07-03-13.4 - Running from: "C:\Documents and Settings\david\Desktop"

    ((((((((((((((((((((((((((((((( Files Created from 2007-02-12 to 2007-03-12 ))))))))))))))))))))))))))))))))))


    2007-03-12 22:49 <DIR> d-------- C:\rename_this_folder_back_to_ComboFix_
    2007-03-11 16:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-03-11 15:11 <DIR> d-------- C:\Program Files\Common Files\iS3
    2007-03-11 15:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZILLAbar
    2007-03-11 15:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
    2007-03-11 14:10 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-03-11 13:44 <DIR> d-------- C:\DOCUME~1\dual\APPLIC~1\PC Tools
    2007-03-10 19:43 22,528 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
    2007-03-10 19:43 15,872 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
    2007-03-10 19:43 15,360 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
    2007-03-10 19:43 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\PC Tools
    2007-03-10 19:42 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
    2007-03-10 19:42 <DIR> d-------- C:\Program Files\Common Files\PC Tools
    2007-03-10 19:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
    2007-03-08 21:57 <DIR> d-------- C:\WINDOWS\system32\.svn
    2007-03-08 21:55 843,922 --a------ C:\WINDOWS\system32\WinNB69.dll
    2007-03-08 21:55 538 --a------ C:\DOCUME~1\dual\APPLIC~1\internaldb8467.dat
    2007-03-08 21:55 374 --a------ C:\DOCUME~1\dual\APPLIC~1\internaldb6334.dat
    2007-03-08 21:55 18,432 --a------ C:\DOCUME~1\dual\APPLIC~1\internaldb41.dat
    2007-03-08 21:55 139,264 --a------ C:\WINDOWS\mirar_distro_876260.exe
    2007-03-08 21:55 <DIR> d-------- C:\WINDOWS\system32\UpMedia
    2007-03-07 03:10 4,398 --a------ C:\WINDOWS\system32\jqksywizbx.dat
    2007-03-07 03:10 325 --a------ C:\WINDOWS\system32\jqksywizbx_navps.dat
    2007-03-07 03:10 321,024 --a------ C:\WINDOWS\system32\jqksywizbx.exe
    2007-03-07 03:10 215,245 --a------ C:\WINDOWS\system32\jqksywizbx_nav.dat
    2007-03-03 03:37 <DIR> d-------- C:\DOCUME~1\david\Contacts
    2007-03-03 03:36 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2007-02-26 22:52 <DIR> d-------- C:\Program Files\Kazaa
    2007-02-26 21:16 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\AdobeAUM
    2007-02-26 03:47 <DIR> d-------- C:\Program Files\Jagermeister
    2007-02-25 21:43 <DIR> d-------- C:\Program Files\Shockwave.com
    2007-02-25 19:59 99,840 --a------ C:\WINDOWS\system32\M-AudioTaskBarIcon.exe
    2007-02-25 19:59 2,400,648 --a------ C:\WINDOWS\system32\madiousb.dll
    2007-02-25 19:59 19,456 --a------ C:\WINDOWS\system32\mausbasio.dll
    2007-02-25 19:59 106,112 --a------ C:\WINDOWS\system32\drivers\mausbft.sys
    2007-02-25 19:59 <DIR> d-------- C:\Program Files\M-Audio Fast Track USB
    2007-02-23 23:28 274,432 --a------ C:\WINDOWS\TLCUninstall.exe
    2007-02-23 23:20 <DIR> d-------- C:\hegames
    2007-02-23 23:15 0 --a------ C:\WINDOWS\PowerReg.dat
    2007-02-23 23:12 <DIR> d-------- C:\Program Files\Infogrames Interactive
    2007-02-23 23:09 <DIR> d-------- C:\DOCUME~1\SARAH~1.HOM\APPLIC~1\MySpace
    2007-02-23 18:11 <DIR> d-------- C:\Program Files\SmartAudioConverter
    2007-02-20 17:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\M-Audio
    2007-02-15 19:06 <DIR> d-------- C:\Program Files\Common Files\Download Manager
    2007-02-15 19:06 <DIR> d-------- C:\Program Files\Avex
    2007-02-15 18:53 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\CyberLink
    2007-02-15 18:49 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\PSP_MMM
    2007-02-15 18:16 <DIR> d-------- C:\Program Files\Datel


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-03-11 22:50 -------- d-------- C:\Program Files\google
    2007-03-11 20:31 -------- d-------- C:\DOCUME~1\david\APPLIC~1\msn6
    2007-03-11 20:25 -------- d-------- C:\DOCUME~1\david\APPLIC~1\google
    2007-03-11 16:16 -------- d-------- C:\Program Files\quicktime
    2007-03-03 03:36 -------- d-------- C:\Program Files\msn messenger
    2007-02-27 13:58 -------- d--h----- C:\Program Files\installshield installation information
    2007-02-26 23:05 -------- d-------- C:\Program Files\symantec
    2007-02-26 23:05 -------- d-------- C:\Program Files\Common Files\symantec shared
    2007-02-26 22:54 0 --a------ C:\WINDOWS\smdat32a.sys
    2007-02-26 22:53 10 --a------ C:\WINDOWS\smdat32m.sys
    2007-02-26 22:09 -------- d-------- C:\Program Files\gamehouse
    2007-02-26 22:05 -------- d-------- C:\Program Files\fruityloops 3.4
    2007-02-26 21:16 -------- d-------- C:\DOCUME~1\david\APPLIC~1\adobe
    2007-02-26 21:14 -------- d-------- C:\Program Files\viewpoint
    2007-02-23 19:30 -------- d-------- C:\Program Files\Common Files\adobe
    2007-02-23 19:28 -------- d-------- C:\DOCUME~1\david\APPLIC~1\adobeum
    2007-02-21 20:58 -------- d-------- C:\Program Files\apple software update
    2007-02-20 19:57 -------- d-------- C:\Program Files\limewire
    2007-02-20 17:25 -------- d-------- C:\Program Files\m-audio
    2007-02-05 20:48 584 --a------ C:\WINDOWS\ereg.dat
    2007-02-05 20:35 -------- d-------- C:\DOCUME~1\david\APPLIC~1\help
    2007-02-05 18:51 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
    2007-02-05 18:40 -------- d-------- C:\Program Files\maxis
    2007-02-01 20:45 -------- d-------- C:\Program Files\vstplugins
    2007-02-01 20:45 -------- d-------- C:\Program Files\dsound
    2007-02-01 20:45 -------- d-------- C:\Program Files\asio
    2007-02-01 20:19 -------- d-------- C:\DOCUME~1\david\APPLIC~1\dsound
    2007-01-31 02:20 -------- d-------- C:\Program Files\yahoo!
    2007-01-29 13:16 -------- d-------- C:\DOCUME~1\david\APPLIC~1\viewpoint
    2007-01-28 23:24 -------- d-------- C:\Program Files\java
    2007-01-28 23:22 -------- d-------- C:\DOCUME~1\david\APPLIC~1\aim
    2007-01-28 23:21 -------- d-------- C:\Program Files\the weather channel fw
    2007-01-28 15:01 -------- d-------- C:\Program Files\myspace
    2007-01-28 15:01 -------- d-------- C:\DOCUME~1\david\APPLIC~1\myspace
    2007-01-28 11:58 -------- d-------- C:\Program Files\skype
    2007-01-28 11:58 -------- d-------- C:\Program Files\profilewatcher
    2007-01-28 11:58 -------- d-------- C:\DOCUME~1\david\APPLIC~1\skype
    2007-01-25 16:48 -------- d-------- C:\Program Files\image-line
    2007-01-25 14:25 -------- d-------- C:\Program Files\Common Files\aol
    2007-01-25 01:30 -------- d-------- C:\DOCUME~1\david\APPLIC~1\acccore
    2007-01-25 01:29 -------- d-------- C:\Program Files\Common Files\nullsoft
    2007-01-25 01:29 -------- d-------- C:\Program Files\aim6
    2007-01-25 01:28 335 --a------ C:\WINDOWS\nsreg.dat
    2007-01-25 01:28 -------- d-------- C:\DOCUME~1\david\APPLIC~1\mozilla
    2007-01-24 16:27 255848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
    2007-01-23 20:23 -------- d-------- C:\DOCUME~1\david\APPLIC~1\jasc software inc
    2007-01-23 00:09 -------- d-------- C:\DOCUME~1\david\APPLIC~1\my battle for middle-earth(tm) ii files
    2007-01-22 22:21 -------- d-------- C:\DOCUME~1\david\APPLIC~1\lavasoft
    2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
    2007-01-18 18:09 -------- d-------- C:\Program Files\Common Files\scanner
    2007-01-18 16:53 -------- d-------- C:\Program Files\support.com
    2007-01-18 06:45 -------- d-------- C:\DOCUME~1\david\APPLIC~1\apple computer
    2007-01-18 05:56 -------- d-------- C:\Program Files\windows media connect 2
    2007-01-17 23:34 -------- d-------- C:\Program Files\usa bass
    2007-01-17 23:29 -------- d-------- C:\Program Files\atari
    2007-01-17 23:19 -------- d-------- C:\Program Files\need2find
    2007-01-17 22:26 -------- d-------- C:\Program Files\Common Files\xing shared
    2007-01-17 22:26 -------- d-------- C:\Program Files\Common Files\real
    2007-01-17 22:10 335 --a------ C:\WINDOWS\mozregistry.dat
    2007-01-17 21:43 2951 --a------ C:\WINDOWS\mozver.dat
    2007-01-17 21:24 -------- d-------- C:\Program Files\lavasoft
    2007-01-17 21:17 -------- d---s---- C:\DOCUME~1\david\APPLIC~1\microsoft
    2007-01-12 08:39 409600 --a------ C:\WINDOWS\system32\libcurl.dll
    2007-01-12 08:39 147456 --a------ C:\WINDOWS\system32\libexpat.dll
    2007-01-08 16:30 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
    2006-12-28 14:12 848 --ahsc--- C:\WINDOWS\system32\kgygaavl.sys


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "CyberDefender Early Detection Center"="\"C:\\Program Files\\CyberDefender\\AntiSpyware\\cdas23.exe\" /minimize"
    "Aim6"=""
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
    "PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
    "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
    "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "M-Audio Taskbar Icon"="C:\\WINDOWS\\System32\\M-AudioTaskBarIcon.exe"
    "jqksywizbx"="c:\\windows\\system32\\jqksywizbx.exe jqksywizbx"
    "PCTAVApp"="\"C:\\Program Files\\PC Tools AntiVirus\\PCTAV.exe\" /MONITORSCAN"
    "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



    ********************************************************************

    catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-03-12 22:58:10
    C:\ComboFix2.txt ... 07-03-12 22:54
     
  8. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please download ATF Cleaner by Atribune.

    This program is for XP and Windows 2000 only


    • Save it to your desktop

      Double-click ATF-Cleaner.exe to run the program.

      Under Main choose: Select All

      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu.


    ======================================

    Download OTMoveIt by OldTimer and save to your Desktop.
    • Double-click on OTMoveIt.exe to launch the program.
    • Please copy the file(s)/folder(s) paths listed below - highlight everything in red and press CTRL+C or right-click and choose Copy.

      • C:\WINDOWS\system32\jqksywizbx_nav.dat
        C:\WINDOWS\system32\jqksywizbx.exe
        C:\WINDOWS\system32\jqksywizbx_navps.dat
        C:\WINDOWS\system32\jqksywizbx.dat
        C:\WINDOWS\system32\UpMedia
        C:\WINDOWS\mirar_distro_876260.exe
    • Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
    • Click the red MoveIt! button.
    • The list will be processed and the results for each line will be displayed in the right-hand pane.
    • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
    • Close the program when done.
    • Important! If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

    ====================================

    Run HijackThis, and press "Do a System Scan Only".
    1. When the scan is complete place a check mark next to the following entries:

    O4 - HKLM\..\Run: [jqksywizbx] "c:\\windows\\system32\\jqksywizbx.exe jqksywizbx"

    2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...

    ====================================

    Panda Activescan
    http://www.pandasoftware.com/products/activescan.htm
    1. Once you are on the Panda site click the Scan your PC button
    2. A new window will open...click the Check Now button
    3. Enter your Country
    4. Enter your State/Province
    5. Enter your e-mail address and click send
    6. Select either Home User or Company
    7. Click the big Scan Now button
    8. If it wants to install an ActiveX component allow it
    9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    10. When download is complete, click on Local Disks to start the scan
    11. When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
     
  9. davidzane

    davidzane Thread Starter

    Joined:
    Mar 11, 2007
    Messages:
    30
    OTMOVE IT RESULTS

    File/Folder C:\WINDOWS\system32\jqksywizbx_nav.dat not found.
    File/Folder C:\WINDOWS\system32\jqksywizbx.exe not found.
    File/Folder C:\WINDOWS\system32\jqksywizbx_navps.dat not found.
    File/Folder C:\WINDOWS\system32\jqksywizbx.dat not found.
    C:\WINDOWS\system32\UpMedia moved successfully.
    C:\WINDOWS\mirar_distro_876260.exe moved successfully.

    ------------------------------------------------------------------------------------------------------

    I did not find a HKLM\..\Run: [jqksywizbx] "c:\\windows\\system32\\jqksywizbx.exe jqksywizbx file when i scanned with hijackthis
    but this is what the log had in it
    Logfile of HijackThis v1.99.1
    Scan saved at 11:39:43 PM, on 3/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    C:\Program Files\PC Tools AntiVirus\PCTAV.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas23.exe" /minimize
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


    -------------------------------------------------------------------------------------------------------
    this is the panda activescan report

    Incident Status Location

    Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[stats1.reliablestats.com/]
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.mediaplex.com/]
    Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[stats1.reliablestats.com/]
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.winantivirus.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[ad.yieldmanager.com/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.advertising.com/]
    Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.systemdoctor.com/]
    Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[www.systemdoctor.com/]
    Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.errorsafe.com/]
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.winantispyware.com/]
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[go.winantispyware.com/NjM1/2/422/ax=1/ed=1/]
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.winantispyware.com/]
    Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.adultfriendfinder.com/]
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.drivecleaner.com/]
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[stats.drivecleaner.com/]
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.drivecleaner.com/]
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[stats.drivecleaner.com/]
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.drivecleaner.com/]
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[www.drivecleaner.com/]
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.drivecleaner.com/]
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[stats.drivecleaner.com/]
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.atwola.com/]
    Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.peel.com/]
    Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.anm.co.uk/]
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.belnk.com/]
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.dist.belnk.com/]
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yvxcs13n.default\cookies.txt[.adopt.hbmediapro.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\david\Cookies\[email protected][2].txt
    Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\pamela.HOME-X9LE8QAMH1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-657ed063-3c23fef8.class
    Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\pamela.HOME-X9LE8QAMH1\Cookies\[email protected][1].txt
    Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\pamela.HOME-X9LE8QAMH1\Cookies\[email protected][1].txt
    Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
    Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Need2Find\bar\3.bin\N2PLUGIN.DLL
    Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Need2Find\bar\3.bin\NPND2FN.DLL
    Potentially unwanted tool:application/altnet Not disinfected C:\WINDOWS\smdat32a.sys
    Potentially unwanted tool:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys
    Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\jqksywizbx.exe
    Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\WINDOWS\system32\temp\NSIS_Install_IGB.exe[InternetGameBox.exe]
    Adware:Adware/Mirar Not disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\mirar_distro_876260.exe
    Adware:Adware/Searchtool Not disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\system32\UpMedia\ContentTool.dll
    Adware:Adware/Searchtool Not disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\system32\UpMedia\SearchTool.dll
    Adware:Adware/Searchtool Not disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\system32\UpMedia\uninstallSE.exe
     
  10. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    You have an infection that is hiding under a rootkit.

    Download F-Secure Blacklight (blbeta.exe) to your C:\ drive.

    1. Open a command window by going to Start > Run and typing: cmd

    2. Copy/paste or type the following in the command window:



    C:\blbeta.exe /expert



    3. Accept the user agreement.

    4. Click Scan.

    5. After the scan finishes, click on "Next", then Exit.

    6. BlackLight will create a log in your C:\ drive with the name "fsbl-xxxxxxx.log". Please post that log.
     
  11. davidzane

    davidzane Thread Starter

    Joined:
    Mar 11, 2007
    Messages:
    30
    f secure log

    03/13/07 15:42:46 [Info]: BlackLight Engine 1.0.55 initialized
    03/13/07 15:42:46 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    03/13/07 15:42:47 [Note]: 7019 4
    03/13/07 15:42:47 [Note]: 7005 0
    03/13/07 15:42:59 [Note]: 7006 0
    03/13/07 15:42:59 [Note]: 7011 3516
    03/13/07 15:42:59 [Note]: 7026 0
    03/13/07 15:42:59 [Note]: 7026 0
    03/13/07 15:42:59 [Note]: 7024 3
    03/13/07 15:42:59 [Info]: Hidden process: C:\WINDOWS\system32\knuqzbs.exe
    03/13/07 15:43:06 [Note]: FSRAW library version 1.7.1021
    03/13/07 15:50:38 [Info]: Hidden file: c:\WINDOWS\system32\knuqzbs.dat
    03/13/07 15:50:38 [Note]: 10002 1
    03/13/07 15:50:39 [Info]: Hidden file: C:\WINDOWS\system32\knuqzbs.exe
    03/13/07 15:50:39 [Note]: 10002 1
    03/13/07 15:50:39 [Info]: Hidden file: c:\WINDOWS\system32\knuqzbs_nav.dat
    03/13/07 15:50:39 [Note]: 10002 1
    03/13/07 15:50:39 [Info]: Hidden file: c:\WINDOWS\system32\knuqzbs_navps.dat
    03/13/07 15:50:39 [Note]: 10002 1
    03/13/07 15:52:52 [Note]: 2000 1012
    03/13/07 15:52:52 [Note]: 2000 1012
    03/13/07 15:55:15 [Note]: 7007 0
     
  12. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    You will need to printout my instructions because you will need to have all windows closed. Thanks.


    Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C:) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Copy the part in bold below into notepad and save it as aftermath.bfu
    Save it in the same folder you made earlier (c:\BFU) and set Filetype to "All files"

    RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\knuqzbs
    RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run|knuqzbs
    FileDelete %SYSDIR%\knuqzbs_navps.dat
    FileDelete %SYSDIR%\knuqzbs_nav.dat
    FileDelete %SYSDIR%\knuqzbs.dat
    FileDelete %SYSDIR%\knuqzbs.exe
    FileDelete %SYSDIR%\knuqzbs_m2s.xml
    FileDelete %WINDIR%\knuqzbs.exe-*.pf


    Now use Blacklight in exactly the same way as before, but when it shows the list of the items found, select only this one 03/13/07 15:42:59 [Info]: Hidden process: C:\WINDOWS\system32\knuqzbs.exe and choose to let Blacklite rename it by clicking the Rename button.
    1. Next the one entry, "rename" should appear.
    2. Click "Next".
    3. Blacklight will give you a warning if you are sure. Click "Yes".
    4. Then it will tell you: "Your computer will reboot now"
    5. Click "Yes". Please reboot into safe mode. Instructions below

    Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes. To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". See How to Boot in "SAFE MODE" tutorial if needed.


    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon [​IMG] and select EGDACCESS.bfu
    • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Behind the scriptline to execute field click the folder icon [​IMG] again and this time select aftermath.bfu
    • Press Execute and let it do it’s job.
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.
    • Reboot back into Normal Mode.

    ===============================

    ====================================

    Please go to Add/Remove Programs and remove the following:
    Need2Findbar

    ====================================

    • Double-click on OTMoveIt.exe to launch the program.
    • Please copy the file(s)/folder(s) paths listed below - highlight everything in red and press CTRL+C or right-click and choose Copy.

      C:\WINDOWS\system32\temp\NSIS_Install_IGB.exe
      C:\WINDOWS\smdat32m.sys
      C:\WINDOWS\smdat32a.sys
      C:\Program Files\Need2Find

    • Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
    • Click the red MoveIt! button.
    • The list will be processed and the results for each line will be displayed in the right-hand pane.
    • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
    • Close the program when done.
    • Important! If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

    In your next reply please include a fresh Hijackthis log. Thanks.
     
  13. davidzane

    davidzane Thread Starter

    Joined:
    Mar 11, 2007
    Messages:
    30
    OTmove it log

    C:\WINDOWS\system32\temp\NSIS_Install_IGB.exe moved successfully.
    C:\WINDOWS\smdat32m.sys moved successfully.
    C:\WINDOWS\smdat32a.sys moved successfully.
    C:\Program Files\Need2Find\bar\Settings moved successfully.
    Folder move failed. C:\Program Files\Need2Find\bar\History\search scheduled to be moved on reboot.
    C:\Program Files\Need2Find\bar\History moved successfully.
    Folder move failed. C:\Program Files\Need2Find\bar\Cache\010E6698 scheduled to be moved on reboot.
    Folder move failed. C:\Program Files\Need2Find\bar\Cache\010E63E8 scheduled to be moved on reboot.
    C:\Program Files\Need2Find\bar\Cache moved successfully.
    C:\Program Files\Need2Find\bar moved successfully.
    C:\Program Files\Need2Find moved successfully.

    Created on 03/13/2007 22:42:17
    ---------------------------------------------------------------------------------------------------------------
    when i try to remove need2find bar i get this error message--
    Error loading
    C:\PROGRA~1\bar\3.bin\Nd2fnbar.dll
    the specified module could not be found
    -----------------------------------------------------------------------------------------------------------
    hijak this log

    Logfile of HijackThis v1.99.1
    Scan saved at 10:46:16 PM, on 3/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    C:\Program Files\PC Tools AntiVirus\PCTAV.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\david\Desktop\scan programs\OTMoveIt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas23.exe" /minimize
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
     
  14. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Lets make sure Navipromo rootkit is gone.

    1. Open a command window by going to Start > Run and typing: cmd

    2. Copy/paste or type the following in the command window:



    C:\blbeta.exe /expert



    3. Accept the user agreement.

    4. Click Scan.

    5. After the scan finishes, click on "Next", then Exit.

    6. BlackLight will create a log in your C:\ drive with the name "fsbl-xxxxxxx.log". Please post that log.
     
  15. davidzane

    davidzane Thread Starter

    Joined:
    Mar 11, 2007
    Messages:
    30
    it said it could not find C:\blbeta.exe/expert
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/551264

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice