Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

P

pschulz2006

13 Posts

3311

April 21st, 2007 16:00

Yellow Triangle with Exclamation Mark, Red Circle with Line Through and Pop-ups Warning of Infection

Thank you in advance for any help with my issues being:
 
- slow system;
- slow browser operation (general, opening main I.E. screen, opening pages).  Using I.E. 7;
- momentary cursor lock-ups;
- hard drive constantly running
- weird Task Bar icons (Yellow Triangle with Exclamation Mark with pop-up message "System Performance monitor: Warning), Bue and white circle with "?" changing to red circle with line through it;
- Browser not opening to home page but to http://asecurityview.com;
- Pop-up warnings, small error message style screens with "?" in top left stating Notice: If your computer has errors in registry..., or your system is probably infected with latest version of spyware.CyberLox-X..., or Warning, W32.Myzor.FK@yf is a virus;
- Browser screen pop-up on own "Monaco Gold Casino", Porn pictures, and "Install-Errorprotector-Free.cab" after closing Pop-up warnings noted above.
 
Thanks again for any help.
 
Paul
 
 
 
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:09:04 AM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Video ActiveX Object\pmsnrr.exe
C:\Program Files\Video ActiveX Object\pmmnt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Rar$EX00.078\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video ActiveX Object\isadd.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Object\pmsnrr.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FIX19105/flash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: frisbee - {abef791f-947e-4cdf-83c3-e72a240afb67} - C:\WINDOWS\system32\ygjun.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 9960 bytes

Bugbatter

20.5K Posts

April 21st, 2007 17:00

Hi, pschulz2006,

We are reviewing your log and will reply soon. In the meantime, please repost your log with HijackThis version 1.99.1. The version of HijackThis that you are using is a BETA version.
Please delete the BETA 2.00 version and click HERE OR HERE to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Open Notepad > Click on Format > Uncheck Word wrap, if checked.
  • Double-click on the desktop icon for HJTsetup.exe.
  • By default it will install to C:\Program Files\HijackThis.
  • Continue to click Run/Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and HijackThis will launch.
  • Close any/all browser, messenger, mediaplayer, Office and mail client windows and applications.
  • Click on the Do a system scan and save a logfile button; HijackThis will then scan and a log showing the results should open in Notepad.
  • Click on Edit > Select All (or CTRL+A) then click on Edit > Copy (or CTRL+C) to copy the contents of the log to your clipboard.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet.
  • Most of what it finds will be harmless or even required.
  • Make certain you post the entire log, please.

pschulz2006

13 Posts

April 21st, 2007 17:00

Thank you for your help.  Sorry for the Beta version thought it was newer version than posts noted.  Will download version noted and post log.
 
Paul

pschulz2006

13 Posts

April 21st, 2007 17:00

New Log file as requested.
 
Logfile of HijackThis v1.99.1
Scan saved at 12:39:16 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Video ActiveX Object\pmsnrr.exe
C:\Program Files\Video ActiveX Object\pmmnt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video ActiveX Object\isadd.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FIX19105/flash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
 

ZAGuru_Hoov

297 Posts

April 21st, 2007 18:00

Hi my name is Hoov and I will be helping you get your system clean, but I must ask you to do a few things right at the beginning. First, do everything I suggest and nothing more. If something goes wrong, or doesn't work correctly, let me know. This will aid in the troubleshooting process. Second, stick the removal out till the end. This is important even if your computer starts acting normally. I will help get everything off, and make sure that you will be protected in the future, so the whole process is important. I am tearing into your log right now, as soon as I have something for you to do, I will post it up here.
 

pschulz2006

13 Posts

April 22nd, 2007 01:00

Thank you.  I look forward to hearing from you.
 
Paul

ZAGuru_Hoov

297 Posts

April 22nd, 2007 04:00

Please download SmitfraudFix (by S!Ri) to your Desktop.

_____________________________
Download : Download AVG Anti-Spyware 7.5 and save that file to your desktop.

This is a 30 day trial of the program
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Select “Change state" to inactivate 'Resident Shield' and 'Automatic Updates'
Right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc

  • Press "OK".
    In Services, click the "Extended tab" and scroll down the list to find AVG anti-spyware 7.5 guard.
    When you find the guard service, double-click on it.
    In the Properties Window > General Tab that opens, click the "Stop" button.
    From the drop-down menu next to "Startup Type", click on "Manual".
    Now click "Apply", then "OK" and close the Services window.
    Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    On the main screen select the icon "Update" then select the "Update now" link.


    • Next select the " Start Update" button, the update will start and a progress bar will show the updates being installed.
      If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.

    Once the update has completed select the " Scanner" icon at the top of the screen, then select the " Settings" tab.
    Once in the Settings screen click on " Recommended actions" and then select " Quarantine".
    Under " Reports"

    • Select " Automatically generate report after every scan"
      Un-Select " Only if threats were found"
      ___________________________
      Double-click smitfraudfix.exe
      Select option #1 - Search by typing 1 and press Enter
      This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
      Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
      [url=http://www.beyondlogic.org/consulting/processutil/processutil.htm[/url]
      IMPORTANT: Do NOT run any other options until you are asked to do so!
       
       
      The new post will have the AVG log, the log from smitfraudfix (rapport.txt) and a new Hijackthis log.

pschulz2006

13 Posts

April 23rd, 2007 04:00

HiJackThis report
 
Logfile of HijackThis v1.99.1
Scan saved at 11:25:09 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Video ActiveX Object\pmsnrr.exe
C:\Program Files\Video ActiveX Object\pmmnt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video ActiveX Object\isadd.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FIX19105/flash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
 

pschulz2006

13 Posts

April 23rd, 2007 04:00

Smitfraud Report
 
SmitFraudFix v2.171
Scan done at 23:24:08.71, Sun 04/22/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Video ActiveX Object\pmsnrr.exe
C:\Program Files\Video ActiveX Object\pmmnt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ygjun.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1
C:\DOCUME~1\user\FAVORI~1\Online Security Test.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\SpywareLocked 3.4\ FOUND !
C:\Program Files\Video ActiveX Object\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{abef791f-947e-4cdf-83c3-e72a240afb67}"="frisbee"
[HKEY_CLASSES_ROOT\CLSID\{abef791f-947e-4cdf-83c3-e72a240afb67}\InProcServer32]
@="C:\WINDOWS\system32\ygjun.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{abef791f-947e-4cdf-83c3-e72a240afb67}\InProcServer32]
@="C:\WINDOWS\system32\ygjun.dll"
 
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
 
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 64.59.135.133
DNS Server Search Order: 64.59.135.135
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CE78F457-A2A8-4D75-84BE-4B84E1DA9856}: DhcpNameServer=64.59.135.133 64.59.135.135
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CE78F457-A2A8-4D75-84BE-4B84E1DA9856}: DhcpNameServer=64.59.135.133 64.59.135.135
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CE78F457-A2A8-4D75-84BE-4B84E1DA9856}: DhcpNameServer=64.59.135.133 64.59.135.135

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End
 

pschulz2006

13 Posts

April 23rd, 2007 04:00

Hi,
 
I was not totally sure if I was to run a scan in AVG after all the setups you noted but that was what I did.  The report generated is as follows.  As well the Smitfraud and HiJackthis reports.
 
Thanks again for helping me with this!
 
Apparently the reports are to long for the message body so I will post the Smitfraud and hiJackThis as seperate posts.
 
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
 + Created at: 11:22:52 PM 4/22/2007
 + Scan result: 
 
C:\WINDOWS\Downloaded Program Files\flash.inf -> Adware.BetterInternet : No action taken.
HKU\S-1-5-21-823518204-492894223-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00F1D395-4744-40F0-A611-980F61AE2C59} -> Adware.DrSearch : No action taken.
C:\Program Files\Video ActiveX Object -> Adware.Generic : No action taken.
C:\Program Files\Video ActiveX Object\iesuninst.exe -> Adware.Generic : No action taken.
C:\Program Files\Video ActiveX Object\isadd.dll -> Adware.Generic : No action taken.
C:\Program Files\Video ActiveX Object\isunst.exe -> Adware.Generic : No action taken.
C:\Program Files\Video ActiveX Object\ot.ico -> Adware.Generic : No action taken.
C:\Program Files\Video ActiveX Object\pmmnt.exe -> Adware.Generic : No action taken.
C:\Program Files\Video ActiveX Object\pmsnrr.exe -> Adware.Generic : No action taken.
C:\Program Files\Video ActiveX Object\pmunst.exe -> Adware.Generic : No action taken.
C:\Program Files\Video ActiveX Object\ts.ico -> Adware.Generic : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On -> Adware.Generic : No action taken.
HKU\S-1-5-21-823518204-492894223-725345543-1003\Software\Internet Security -> Adware.Generic : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 -> Adware.IntCodec : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.IntCodec : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031449.ini -> Adware.Qworke : No action taken.
C:\Program Files\SpywareLocked 3.4\SpywareLock.exe -> Adware.SpyLocked : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031333.exe -> Downloader.Zlob.atg : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031377.exe -> Downloader.Zlob.atg : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031386.exe -> Downloader.Zlob.atg : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031500.exe -> Downloader.Zlob.atg : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031701.exe -> Downloader.Zlob.atg : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031712.exe -> Downloader.Zlob.atg : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031786.exe -> Downloader.Zlob.atg : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031793.exe -> Downloader.Zlob.atg : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031824.exe -> Downloader.Zlob.atg : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031856.exe -> Downloader.Zlob.atg : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031334.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031378.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031387.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031501.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031700.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031711.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031785.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031794.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031823.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031855.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031868.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031874.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP494\A0031914.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP494\A0031926.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP495\A0031997.exe -> Downloader.Zlob.aus : No action taken.
[2592] C:\Program Files\Video ActiveX Object\pmmnt.exe -> Downloader.Zlob.aus : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031860.exe -> Downloader.Zlob.azm : No action taken.
[2444] C:\Program Files\Video ActiveX Object\pmsnrr.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031332.dll -> Downloader.Zlob.yt : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031376.dll -> Downloader.Zlob.yt : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031385.dll -> Downloader.Zlob.yt : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031499.dll -> Downloader.Zlob.yt : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031699.dll -> Downloader.Zlob.yt : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031710.dll -> Downloader.Zlob.yt : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031784.dll -> Downloader.Zlob.yt : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031792.dll -> Downloader.Zlob.yt : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031822.dll -> Downloader.Zlob.yt : No action taken.
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031854.dll -> Downloader.Zlob.yt : No action taken.
[844] C:\Program Files\Video ActiveX Object\isadd.dll -> Downloader.Zlob.yt : No action taken.
C:\Documents and Settings\user\Cookies\user@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\user\Cookies\user@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\user\Cookies\user@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\user\Cookies\user@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : No action taken.
C:\WINDOWS\system32\ygjun.dll -> Trojan.Renos.nav : No action taken.
[1736] C:\WINDOWS\system32\ygjun.dll -> Trojan.Renos.nav : No action taken.

::Report end
 
 

ZAGuru_Hoov

297 Posts

April 23rd, 2007 23:00

About AVG, sorry, my mistake. But its no biggie. You will need to do another scan later, when instructed. :smileywink:

ZAGuru_Hoov

297 Posts

April 24th, 2007 22:00

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

_____________________________
Once in Safe Mode, double-click the SmitfraudFix.exe again.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question " Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________
Clean out your Temporary Internet files. Proceed like this:

  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin_____________________________
Close ALL open Windows / Programs / Folders. Close ALL open Windows / Programs / Folders.

  • While in Safe Mode, Scan with AVG Anti-Spyware as follows:
    1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.

    • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
    • Under "How to Scan?" check all (default).
    • Under "Possibly unwanted software" check all (default).
    • Under "What to Scan?" make sure "Scan every file" is selected (default).
    • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
    2. Click the "Scan" tab to return to scanning options.
    3. Click "Complete System Scan" to start.
    4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
    IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?
    5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
    6. Exit AVG Anti-Spyware when done, reboot your system back into Normal Mode.

_____________________________
Please post:
  1. c:\rapport.txt
  2. AVG AS log
  3. A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.

pschulz2006

13 Posts

April 25th, 2007 03:00

WOW, this is definetly more involved than my ignorant opion first thought!  Thanks againf ro your help on this!
 
Just a couple of quick comments before I start posting the reports.  In the Temporary Internet Files, there is no Delete all offline content so I just deleted all files noted.  As well I "Reset Internet Explorer Settings" on the Advanced Tab, there was nothing on the Programs tab.  Assuming that is correct.  If not please advise correct action for me to complete.
 
There were no webpages one the Customize Desktop button so did nothing there.
 
Lastly, when started Internet Explorer in normal mode a screen "Welcome to Internet Explorer 7 ( http://runonce.msn.com/runonce2.aspx) came up and required I select a search provider, options were Yahoo or a list, left as Yahoo.  Also asked about turning on Phishin Filter, ignored but question came up again when tried to go to home page so said yes to turn it on.  Also changed location to English (Canada) if that is any concern.
 
SmitFraudFix v2.171
Scan done at 20:25:57.64, Tue 04/24/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{abef791f-947e-4cdf-83c3-e72a240afb67}"="frisbee"
[HKEY_CLASSES_ROOT\CLSID\{abef791f-947e-4cdf-83c3-e72a240afb67}\InProcServer32]
@="C:\WINDOWS\system32\ygjun.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{abef791f-947e-4cdf-83c3-e72a240afb67}\InProcServer32]
@="C:\WINDOWS\system32\ygjun.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1       localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\ygjun.dll -> Hoax.Win32.Renos.gen.l
C:\WINDOWS\system32\ygjun.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\DOCUME~1\user\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\SpywareLocked 3.4\ Deleted
C:\Program Files\Video ActiveX Object\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CE78F457-A2A8-4D75-84BE-4B84E1DA9856}: DhcpNameServer=64.59.135.133 64.59.135.135

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End
 

pschulz2006

13 Posts

April 25th, 2007 03:00

Logfile of HijackThis v1.99.1
Scan saved at 10:09:09 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FIX19105/flash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
 

pschulz2006

13 Posts

April 25th, 2007 03:00

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
 + Created at: 9:47:16 PM 4/24/2007
 + Scan result: 
 
C:\WINDOWS\Downloaded Program Files\flash.inf -> Adware.BetterInternet : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-492894223-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00F1D395-4744-40F0-A611-980F61AE2C59} -> Adware.DrSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-492894223-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00F1D395-4744-40F0-A611-980F61AE2C59} -> Adware.DrSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031449.ini -> Adware.Qworke : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP496\A0032119.exe -> Adware.SpyLocked : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031333.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031377.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031386.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031500.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031701.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031712.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031786.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031793.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031824.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031856.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031334.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031378.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031387.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031501.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031700.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031711.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031785.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031794.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031823.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031855.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031868.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031874.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP494\A0031914.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP494\A0031926.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP495\A0031997.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP495\A0032008.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP495\A0032018.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP496\A0032090.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP496\A0032106.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP496\A0032124.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP496\A0032120.exe -> Downloader.Zlob.auu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP496\A0032126.exe -> Downloader.Zlob.auu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031860.exe -> Downloader.Zlob.azm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP496\A0032125.exe -> Downloader.Zlob.bov : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031332.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031376.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031385.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP490\A0031499.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031699.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP491\A0031710.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031784.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031792.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP492\A0031822.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP493\A0031854.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP496\A0032121.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4427B43-C903-4A17-8548-F07554798AD4}\RP496\A0032116.dll -> Trojan.Renos.nav : Cleaned with backup (quarantined).

::Report end
 

pschulz2006

13 Posts

April 27th, 2007 21:00

Did those reports check out ok?

View More

View All

No Events found!

Top