1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware problems frustrating

Discussion in 'Virus & Other Malware Removal' started by BNL, Feb 6, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. BNL

    BNL Thread Starter

    Joined:
    Sep 28, 2004
    Messages:
    74
    I need some help cleaning up my computer. 1. It is running very slow. 2. I have a red circle with a white x in the bottom right hand, that sends a popup message about every 10 seconds telling me that my computer is infected. 3. Not sure what else is wrong but I suspect there is more than one unwanted spyware files running that I don't know about. Here is a current HiJackthis log. Thanks in advance for your help!

    Logfile of HijackThis v1.99.1
    Scan saved at 7:33:17 PM, on 2/6/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\AOL\1129840306\ee\AOLSoftware.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\winstall.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Burl Lambert.D691W241\Desktop\Hijackthis\HijackThis.exe

    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129840306\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131328379515
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
    O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
     
  2. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, BNL. :)

    Welcome to TSG.

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  3. BNL

    BNL Thread Starter

    Joined:
    Sep 28, 2004
    Messages:
    74
    Spyware Doctor Activity Report - Generated on [2/6/2007 9:18:06 PM]



    Spyware Doctor Homepage
    PCTools HomePage
    Technical Support


    Close log


    General Information
    --------------------------------------------------------------------------------
    Spyware Doctor scan started: 2/6/2007 9:15:53 PM
    Spyware Doctor scan finished: 2/6/2007 9:18:06 PM
    Total items scanned: 44416 items
    Total problems found: 11 items
    Total problems ignored: 0 items
    Reference file date: 9/20/2004 10:16:54 PM

    Scan. Tool Details
    --------------------------------------------------------------------------------
    Tools used for the Scan: Process Scanner
    LSP Scanner
    Registry Scanner
    General Scanner
    Browser Scanner
    Cookie Scanner
    Disk Scanner


    Details
    --------------------------------------------------------------------------------
    Problem Name (Location) Problem Type Risk
    Altnet Software (HKLM\SOFTWARE\Microsoft\DownloadManager) Registry *
    C-Dilla (HKLM\SOFTWARE\C07ft5Y) Registry *
    LimeWire (HKLM\software\microsoft\windows\currentversion\uninstall\limewire) Registry *
    Alexa (multiple) general malware *
    SaveNow (multiple) general malware *
    TinyBar (multiple) general malware *
    Tracking Cookie (burl [email protected][2].txt) cookie file *
    Tracking Cookie (burl [email protected][1].txt) cookie file *
    Tracking Cookie (burl [email protected][1].txt) cookie file *
    Tracking Cookie (burl [email protected][1].txt) cookie file *
    Tracking Cookie (burl [email protected][2].txt) cookie file *




    Legend
    --------------------------------------------------------------------------------

    * Very Dangerous Spyware
    * Medium-Risk Spyware
    * Low-Risk Spyware

    Learn more about PCTools at http://www.pctools.com

    Logfile of HijackThis v1.99.1
    Scan saved at 9:28:58 PM, on 2/6/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\AOL\1129840306\ee\AOLSoftware.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\winstall.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Spyware Doctor\spydoctor.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Burl Lambert.D691W241\Desktop\Hijackthis\HijackThis.exe
    C:\Program Files\Common Files\Dell\EUSW\DSLog.exe
    C:\Program Files\Common Files\Dell\EUSW\DSLog.exe

    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129840306\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131328379515
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
    O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
     
  4. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, BNL :)

    That was not the tool I asked you to run. The computer still infected.
     
  5. BNL

    BNL Thread Starter

    Joined:
    Sep 28, 2004
    Messages:
    74
    I think I found the right tool this time. Thank you for your patience.


    SDFix: Version 1.63

    Thu 02/08/2007 - 19:04:23.21

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:

    Path:


    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\winstall.exe - Deleted
    C:\WINDOWS\system32\ksl48.bin - Deleted



    ADS Check:

    C:\WINDOWS\system32
    :cnrp.dll 9728
    Total size: 9728 bytes.

    Removing ADS...

    system32: deleted 9728 bytes in 1 streams.

    Checking for remaining Streams

    C:\WINDOWS\system32
    No streams found.

    Final Check:

    Remaining Services:
    ------------------


    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Para

    meters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip


    Checking For Files with Hidden Attributes :

    C:\Documents and Settings\Burl Lambert.D691W241\NetHood\Game Notes on

    www.gomudcats.com\Desktop.ini
    C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
    C:\hiberfil.sys
    C:\Documents and Settings\Amie Lambert\My Documents\~WRL0001.tmp
    C:\Documents and Settings\Amie Lambert\My Documents\~WRL0003.tmp
    C:\Documents and Settings\Amie Lambert\My Documents\~WRL0883.tmp
    C:\Documents and Settings\Amie Lambert\My Documents\~WRL2343.tmp
    C:\Documents and Settings\Neal Lambert\My Documents\~WRL0003.tmp
    C:\WINDOWS\SYSTEM32\knnmp.tmp
    C:\WINDOWS\SYSTEM32\CONFIG\default.tmp.LOG
    C:\WINDOWS\SYSTEM32\CONFIG\software.tmp.LOG
    C:\WINDOWS\SYSTEM32\CONFIG\system.tmp.LOG

    Finished

    Logfile of HijackThis v1.99.1
    Scan saved at 7:14:25 PM, on 2/8/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec

    AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec Client

    Firewall\NISUM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec

    AntiVirus\Rtvscan.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client

    Firewall\NISSERV.EXE
    C:\Program Files\Symantec_Client_Security\Symantec Client

    Firewall\SymPxSvc.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client

    Firewall\ATRACK.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\AOL\1129840306\ee\AOLSoftware.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Burl

    Lambert.D691W241\Desktop\Hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper -

    {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

    files\google\googletoolbar2.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} -

    C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

    c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common

    Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media

    Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common

    Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [vptray] C:\Program

    Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch

    Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

    Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer

    6.0\masqform.exe -UpdateCurrentUser
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

    Files\AOL\1129840306\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE"

    /background
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft

    Money\System\mnyexpr.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

    Advantage Validation Tool) -

    http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

    -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w

    uweb_site.cab?1131328379515
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX

    Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

    "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -

    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program

    Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

    Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

    Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec

    Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client

    Firewall\NISSERV.EXE
    O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) -

    Symantec Corporation - C:\Program

    Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) -

    Symantec Corporation - C:\Program

    Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) -

    Symantec Corporation - C:\Program

    Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
     
  6. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, BNL :)

    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

    Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

    Close Hijackthis.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\SYSTEM32\knnmp.tmp

    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Post a fresh Hijackthis log and let me know how is the computer doing.
     
  7. BNL

    BNL Thread Starter

    Joined:
    Sep 28, 2004
    Messages:
    74
    C:\WINDOWS\SYSTEM32\knnmp.tmp moved successfully.

    Created on 02/08/2007 21:14:38

    Logfile of HijackThis v1.99.1
    Scan saved at 9:15:32 PM, on 2/8/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\AOL\1129840306\ee\AOLSoftware.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Burl Lambert.D691W241\Desktop\Hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129840306\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131328379515
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
    O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
     
  8. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, BNL :)

    Lets make sure Smitfraud is not in your system.

    Please download SmitfraudFix (by S!Ri) to your Desktop.

    Double-click SmitfraudFix.exe
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  9. BNL

    BNL Thread Starter

    Joined:
    Sep 28, 2004
    Messages:
    74
    SmitFraudFix v2.108

    Scan done at 18:52:23.43, Fri 02/09/2007
    Run from C:\Documents and Settings\Burl Lambert.D691W241\Desktop\Smithfraud\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Burl Lambert.D691W241


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Burl Lambert.D691W241\Application Data

    C:\Documents and Settings\Burl Lambert.D691W241\Application Data\Install.dat FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BURLLA~1.D69\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    C:\Program Files\PestTrap\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  10. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, BNL :)

    You should print these instructions, or copy them to a NotePad file for reading while in Safe Mode.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, double-click on SmitfraudFix.exe
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning : running option #2 on a non infected computer will remove your Desktop background.

    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post a fresh Hijackthis log along with the ActiveScan report.
     
  11. BNL

    BNL Thread Starter

    Joined:
    Sep 28, 2004
    Messages:
    74
    SmitFraudFix v2.141

    Scan done at 21:05:08.71, Fri 02/09/2007
    Run from C:\Documents and Settings\Burl Lambert.D691W241\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"="csjvg.exe"


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End


    Incident Status Location

    Adware:adware/beginto Not disinfected c:\windows\system32\fns-popup blockerddxad.ico
    Adware:adware/cws Not disinfected c:\documents and settings\all users\favorites\NEW VIAGRA at Half Price!.url
    Adware:adware/megatds Not disinfected Windows Registry
    Adware:adware/sbsoft Not disinfected Windows Registry
    Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
    Adware:adware/savenow Not disinfected Windows Registry
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Burl Lambert.D691W241\Cookies\burl [email protected][1].txt
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Burl Lambert.D691W241\Cookies\burl [email protected][2].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Burl Lambert.D691W241\Cookies\burl [email protected][2].txt
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Burl Lambert.D691W241\Cookies\burl [email protected][2].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Burl Lambert.D691W241\Cookies\burl [email protected][1].txt
    Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Burl Lambert.D691W241\Cookies\burl [email protected][1].txt
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Burl Lambert.D691W241\Cookies\burl [email protected][1].txt
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Burl Lambert.D691W241\Desktop\SDFix.exe[SDFix\apps\Process.exe]
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Burl Lambert.D691W241\Desktop\SmitfraudFix\Process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Burl Lambert.D691W241\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Burl Lambert.D691W241\Desktop\Smithfraud\SmitfraudFix\Process.exe
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
    Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Neal Lambert\Cookies\neal [email protected][2].txt
    Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
    Adware:Adware/SpySheriff Not disinfected C:\SDFix\backups\backups.zip[backups/winstall.exe]
    Adware:Adware/SecurityError Not disinfected C:\WINDOWS\INF\ultra.inf
    Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\SYSTEM32\six.exe
    Adware:Adware/SecurityError Not disinfected C:\WINDOWS\SYSTEM32\ultra\ultra.inf
    Virus:Trj/PWSteal.BP Disinfected C:\WINDOWS\SYSTEM32\ultra\xlibgfl254.dll
    Adware:Adware/SecurityError Not disinfected C:\WINDOWS\SYSTEM32\xlibgfl254.dll
    Adware:Adware/Kill&Clean Not disinfected C:\WINDOWS\SYSTEM32\{1E1A15ED-2920-4B1C-91F1-CD316326D95C}.exe
    Logfile of HijackThis v1.99.1
    Scan saved at 10:15:37 PM, on 2/9/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Common Files\AOL\1129840306\ee\AOLSoftware.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Burl Lambert.D691W241\Desktop\Hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129840306\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131328379515
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
    O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
     
  12. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, BNL :)

    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\INF\ultra.inf
      C:\WINDOWS\SYSTEM32\six.exe
      C:\WINDOWS\SYSTEM32\ultra
      C:\WINDOWS\SYSTEM32\xlibgfl254.dll
      C:\WINDOWS\SYSTEM32\{1E1A15ED-2920-4B1C-91F1-CD316326D95C}.exe
      c:\documents and settings\all users\favorites\NEW VIAGRA at Half Price!.url
      c:\windows\system32\fns-popup blockerddxad.ico



    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Post a fresh log and let me know how is the computer doing.
     
  13. BNL

    BNL Thread Starter

    Joined:
    Sep 28, 2004
    Messages:
    74
    My computer is doing very well now. Anything else I need to clean up?

    C:\WINDOWS\INF\ultra.inf moved successfully.
    C:\WINDOWS\SYSTEM32\six.exe moved successfully.
    C:\WINDOWS\SYSTEM32\ultra moved successfully.
    LoadLibrary failed for C:\WINDOWS\SYSTEM32\xlibgfl254.dll
    C:\WINDOWS\SYSTEM32\xlibgfl254.dll NOT unregistered.
    C:\WINDOWS\SYSTEM32\xlibgfl254.dll moved successfully.
    C:\WINDOWS\SYSTEM32\{1E1A15ED-2920-4B1C-91F1-CD316326D95C}.exe moved successfully.
    c:\documents and settings\all users\favorites\NEW VIAGRA at Half Price!.url moved successfully.
    c:\windows\system32\fns-popup blockerddxad.ico moved successfully.

    Created on 02/11/2007 13:00:46

    Logfile of HijackThis v1.99.1
    Scan saved at 1:01:43 PM, on 2/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\AOL\1129840306\ee\AOLSoftware.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Burl Lambert.D691W241\Desktop\Hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129840306\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131328379515
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
    O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
     
  14. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, vdmwillie. :)

    Congratulations.[​IMG]

    There is no entry for JAVA in the log. Older versions have vulnerabilities that malware can use to infect your system. The latest version is Version 6.0. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Ugrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.
    Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

    (Windows XP)

    1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK..

    Create a Restore point:
    1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
    2. In the System Restore dialog box, click Create a restore point, and then click Next.
    3. Type a description for your restore point, such as "After Cleanup", then click Create.

    The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
    1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
    2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
    3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
    4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
    5. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    6. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
    8. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    9. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
    To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

    Click Here for some advise from our security Experts.

    Please use the thread's Tools and mark this thread as "Solved".

    Best wishes! [​IMG]
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Spyware problems frustrating
  1. dano_61
    Replies:
    14
    Views:
    688
  2. HaroRider
    Replies:
    12
    Views:
    986
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/541862

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice