Jump to content

Archived

This topic is now archived and is closed to further replies.

Anirey

Requested Logs - NoLop, the AVG AS report, and new Hjt

Recommended Posts

I have followed Juliet's advise. Ad Aware and Spybot have been run. Here is my Hjt log. As advised, I have not fixed any findings from the Hjt scan.

 

Logfile of HijackThis v1.99.1

Scan saved at 4:36:34 PM, on 3/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll

O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [starter] C:\WINDOWS\system32\STARTER.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Name live] C:\DOCUME~1\Anita\APPLIC~1\INTERN~1\DEFY POP FORK.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Sprint DSL virtual assistant.lnk = C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2006\\AddUrl.html

O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2006\\Wizard.html

O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2006\\Parser.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {48989C74-D5FC-4F17-BA40-3D825C716836} (clMultiDownLoader Control) - http://mgn.musicgiants.com/cab/mgndownloader.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162949527437

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162949512726

O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O20 - AppInit_DLLs: 90.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

Share this post


Link to post
Share on other sites

Please download NoLop to the Desktop: http://www.thespykiller.co.uk/forum/index....tpmod;dl=item16

  • Close any programs you have running since a reboot is required
  • Double click NoLop.exe to run it
  • Next, click the button labeled: Search and Destroy

    <<your computer will now be scanned for infected files>>

  • When the scan finishes, if infected, you are prompted to reboot
  • Click OK

  • Now click: REBOOT
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

 

~~~~

Next, download AVG Anti-Spyware:

http://www.ewido.net/en/download/

Locate the icon on the Desktop and double-click it to launch the program.

 

Now, update the definition files:

On the main screen select Update, and then select the Update Now link.

Next, select the Start Update button

(The update starts and a progress bar shows the updates installed.)

 

Once the update completes select: Scanner (the top of the screen)

Select the Settings tab

Once in the Settings screen click on: Recommended actions

Select: Quarantine

Under: Reports, select: Automatically generate report after every scan

Un-Select: Only if threats were found

Close AVG AS for now.

 

~~~~

Reboot to Safe Mode :

-Restart your computer.

-When the machine first starts again, tap the F8 key before Windows starts

-You are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press Enter to boot into Safe Mode.

 

~~~~

Go to Start > Control Panel > Internet Options

In the General tab, Temporary Internet Files, click: Delete Files

When prompted, check: Delete all offline content

You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)

Click OK

 

Then, go to Start >Run and enter: cleanmgr

Select the drive to clean: C:\

Check the following boxes and then press OK to remove:

Temporary Files

Temporary Internet Files

RecycleBin

Agree to the prompt to perform the action...

 

~~~~

Still in Safe Mode, launch AVG AS once again

Select: Scanner (at the top)

Select the Scan tab

Click on: Complete System Scan

AVG AS begins the scanning process, and it may take a while.

Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

 

Once the scan is complete, AVG AS lists any infections found.

It also automatically sets the recommended action.

Click: Apply all actions

AVG AS will then display: All actions have been applied

 

Next select: Reports (at the top)

Select: Save report as (lower left of the screen)

Save the report to a text file in a location where you can find it!

Close AVG AS.

 

~~~~

Restart the computer.

 

~~~~

Please provide the following:

The contents of C:\NoLop.log

The AVG AS report

A new HijackThis log

Share this post


Link to post
Share on other sites

Thanks for your instructions, Aaflac. I downloaded and ran the recommended programs. This post contains the contents of the C:\NoLop.log, the AVG AS report, and a new HijackThis log.

 

Looking forward to your help.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

NoLop! Log by Skate_Punk_21

 

Fix running from: C:\Documents and Settings\Anita\Desktop\Recommended Fixers

[3/12/2007]

[6:13:31 PM]

 

---Infection Files Found/Removed---

C:\WINDOWS\tasks\A2C12E30918AA494.job

 

Beginning Removal...

Rebooting...

Removing Lop's Leftover Files/Folders...

Editing Registry...

**Fix Complete!**

 

---Listing AppData sub directories---

 

C:\Documents and Settings\Default User\Application Data\Microsoft

C:\Documents and Settings\All Users\Application Data\Microsoft

C:\Documents and Settings\All Users\Application Data\Yahoo!

C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

C:\Documents and Settings\All Users\Application Data\Gtek

C:\Documents and Settings\All Users\Application Data\Apple Computer

C:\Documents and Settings\All Users\Application Data\Adobe

C:\Documents and Settings\All Users\Application Data\Ca

C:\Documents and Settings\All Users\Application Data\Nch Swift Sound

C:\Documents and Settings\All Users\Application Data\Ulead Systems

C:\Documents and Settings\All Users\Application Data\Installshield

C:\Documents and Settings\All Users\Application Data\Motive -- EMPTY Directory

C:\Documents and Settings\All Users\Application Data\Aim Army Bird New

C:\Documents and Settings\All Users\Application Data\Snapstream

C:\Documents and Settings\All Users\Application Data\Google Updater

C:\Documents and Settings\Networkservice\Application Data\Microsoft

C:\Documents and Settings\Localservice\Application Data\Microsoft

C:\Documents and Settings\Localservice\Application Data\Adobe

C:\Documents and Settings\Anita\Application Data\Microsoft

C:\Documents and Settings\Anita\Application Data\Identities

C:\Documents and Settings\Anita\Application Data\Help

C:\Documents and Settings\Anita\Application Data\Webshots

C:\Documents and Settings\Anita\Application Data\Macromedia

C:\Documents and Settings\Anita\Application Data\Xnview -- EMPTY Directory

C:\Documents and Settings\Anita\Application Data\Template

C:\Documents and Settings\Anita\Application Data\Lavasoft

C:\Documents and Settings\Anita\Application Data\Sun

C:\Documents and Settings\Anita\Application Data\Leadertech

C:\Documents and Settings\Anita\Application Data\Gtek

C:\Documents and Settings\Anita\Application Data\Adobe

C:\Documents and Settings\Anita\Application Data\Apple Computer

C:\Documents and Settings\Anita\Application Data\Google

C:\Documents and Settings\Anita\Application Data\Adobeum

C:\Documents and Settings\Anita\Application Data\Adobeaum

C:\Documents and Settings\Anita\Application Data\Divx

C:\Documents and Settings\Anita\Application Data\Relevantreach

C:\Documents and Settings\Anita\Application Data\Gear Dvd Standard Edition 7.01

C:\Documents and Settings\Anita\Application Data\Olympus

C:\Documents and Settings\Anita\Application Data\Nch Swift Sound

C:\Documents and Settings\Anita\Application Data\Ulead Systems

C:\Documents and Settings\Anita\Application Data\Avsmedia

C:\Documents and Settings\Anita\Application Data\Vso

C:\Documents and Settings\Anita\Application Data\Earthlink

C:\Documents and Settings\Anita\Application Data\Earthlink Toolbar

C:\Documents and Settings\Anita\Application Data\Deepburner

C:\Documents and Settings\Anita\Application Data\Internetitchbits

C:\Documents and Settings\Anita\Application Data\Deepburner Pro

C:\Documents and Settings\Anita\Application Data\Video Dvd Maker Free

C:\Documents and Settings\Anita\Application Data\Finalburner Data

C:\Documents and Settings\Anita\Application Data\Finalburner Video Dvd

C:\Documents and Settings\Anita\Application Data\Finalburner Audio Cd -- EMPTY Directory

C:\Documents and Settings\Rey\Application Data\Microsoft

C:\Documents and Settings\Rey\Application Data\Macromedia

C:\Documents and Settings\Rey\Application Data\Limewire

C:\Documents and Settings\Rey\Application Data\Lavasoft

C:\Documents and Settings\Rey.sojourner\Application Data\Microsoft

C:\Documents and Settings\Rey.sojourner\Application Data\Identities

C:\Documents and Settings\Rey.sojourner\Application Data\Macromedia

C:\Documents and Settings\Rey.sojourner\Application Data\Limewire

C:\Documents and Settings\Rey.sojourner\Application Data\Divx

C:\Documents and Settings\Rey.sojourner\Application Data\Adobe

C:\Documents and Settings\Rey.sojourner\Application Data\Adobeum -- EMPTY Directory

C:\Documents and Settings\Rey.sojourner\Application Data\Gtek

C:\Documents and Settings\Rey.sojourner\Application Data\Apple Computer

C:\Documents and Settings\Rey.sojourner\Application Data\Xnview -- EMPTY Directory

C:\Documents and Settings\Rey.sojourner\Application Data\Earthlink Toolbar

C:\Documents and Settings\Rey.sojourner\Application Data\Deepburner

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 10:38:56 PM 3/12/2007

 

+ Scan result:

 

 

 

H:\Sept. 2, 2006\DAP\DAPIEBar.dll -> Adware.Dap : No action taken.

C:\WINDOWS\DOWNLO~1\pinstall.dll -> Adware.LookMe : No action taken.

H:\Sept. 2, 2006\Desktop Saves\Desktop\Downloads\SAVEInst.exe -> Adware.SaveNow : No action taken.

H:\Sept. 2, 2006\Downloads\SAVEInst.exe -> Adware.SaveNow : No action taken.

C:\Documents and Settings\Rey.SOJOURNER\Shared\[release] xp professional full version 02.zip/setup.exe -> Hijacker.Agent.hi : No action taken.

H:\Sept. 2, 2006\Desktop Saves\Desktop\Downloads\shell32 6-17-05.zip/f3Setup1.exe -> Not-A-Virus.Downloader.Win32.FunWeb : No action taken.

H:\Sept. 2, 2006\Downloads\shell32 6-17-05.zip/f3Setup1.exe -> Not-A-Virus.Downloader.Win32.FunWeb : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@aavalue[1].txt -> TrackingCookie.Aavalue : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@grouplotto.aavalue[1].txt -> TrackingCookie.Aavalue : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@www.burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@com[1].txt -> TrackingCookie.Com : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@news.com[1].txt -> TrackingCookie.Com : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@whitepapers.techrepublic.com[2].txt -> TrackingCookie.Com : No action taken.

C:\Documents and Settings\Rey.SOJOURNER\Cookies\rey@com[1].txt -> TrackingCookie.Com : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.

C:\Documents and Settings\Rey.SOJOURNER\Cookies\rey@enhance[2].txt -> TrackingCookie.Enhance : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@ehg-pcsecurityshield.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@sales.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@www.lop[1].txt -> TrackingCookie.Lop : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@oewabox[2].txt -> TrackingCookie.Oewabox : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@data2.perf.overture[2].txt -> TrackingCookie.Overture : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@anat.tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@login.tracking101[2].txt -> TrackingCookie.Tracking101 : No action taken.

C:\Documents and Settings\Anita\Cookies\anita@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.

 

 

::Report end

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:18:06 PM, on 3/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\RamBooster 2.0\Rambooster.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Google\Google Updater\GoogleUpdater.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll

O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [starter] C:\WINDOWS\system32\STARTER.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [PCPitstop Disk MD Registration Reminder] C:\Program Files\PCPitstop\Disk MD\Reminder.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Name live] C:\DOCUME~1\Anita\APPLIC~1\INTERN~1\DEFY POP FORK.exe

O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Sprint DSL virtual assistant.lnk = C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2006\\AddUrl.html

O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2006\\Wizard.html

O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2006\\Parser.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {48989C74-D5FC-4F17-BA40-3D825C716836} (clMultiDownLoader Control) - http://mgn.musicgiants.com/cab/mgndownloader.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162949527437

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162949512726

O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O20 - AppInit_DLLs: 90.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

Share this post


Link to post
Share on other sites

Please use the New Reply button at the bottom of the page, and do not start a new post each time you reply. That way we keep everything in one place and it is easier to follow. Thanks! :)

 

~~~~

Also, re-run AVG AS once again, and follow the instructions closely.

It scanned, but it is reporting No action taken on all the entires! That doesn't help you.

 

The items need to show they were quarantined, or cleaned.

 

When done, please post the new results of AVG AS.

 

~~~~

Next, run HijackThis, Scan

Check box for:

 

O4 - HKCU\..\Run: [Name live] C:\DOCUME~1\Anita\APPLIC~1\INTERN~1\DEFY POP FORK.exe

 

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

(You may get an error message on this one, but press on.)

 

Select: Fix checked

 

~~~~

Search for and remove the following folder (bold):

 

C:\Documents and Settings\All Users\Application Data\Internetitchbits

 

~~~~

Restart the computer.

 

~~~~

There is one more entry on the log that calls for further scanning...

 

Please download ComboFix (by sUBs) from one of the following links:

NOTE: In the event you already have ComboFix, this is a new version!!

 

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Save it to the Desktop.

Double-click combofix.exe and follow the prompts.

 

CAUTION: Do not mouse-click ComboFix's window while it is running.

It may cause it to stall.

 

When finished, it produces a report.

 

~~~~

Please provide the contents of the ComboFix report , and a new HijackThis log in your reply.

Share this post


Link to post
Share on other sites

Aaflac,

I am so very sorry. When reading your response I realized that I had copied the wrong AVG AS report. I had saved a log just prior fixing, and then saved another afterwards. Here is the AVG AS report I meant to send. Should I go ahead and run it again anyway?

 

Here is what I should have sent last night:

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 10:48:51 PM 3/12/2007

 

+ Scan result:

 

 

 

H:\Sept. 2, 2006\DAP\DAPIEBar.dll -> Adware.Dap : Cleaned with

 

backup (quarantined).

C:\WINDOWS\DOWNLO~1\pinstall.dll -> Adware.LookMe : Cleaned

 

with backup (quarantined).

H:\Sept. 2, 2006\Desktop Saves\Desktop\Downloads\SAVEInst.exe

 

-> Adware.SaveNow : Cleaned with backup (quarantined).

H:\Sept. 2, 2006\Downloads\SAVEInst.exe -> Adware.SaveNow :

 

Cleaned with backup (quarantined).

C:\Documents and Settings\Rey.SOJOURNER\Shared\[release] xp

 

professional full version 02.zip/setup.exe ->

 

Hijacker.Agent.hi : Cleaned with backup (quarantined).

H:\Sept. 2, 2006\Desktop Saves\Desktop\Downloads\shell32

 

6-17-05.zip/f3Setup1.exe ->

 

Not-A-Virus.Downloader.Win32.FunWeb : Cleaned with backup

 

(quarantined).

H:\Sept. 2, 2006\Downloads\shell32 6-17-05.zip/f3Setup1.exe ->

 

Not-A-Virus.Downloader.Win32.FunWeb : Cleaned with backup

 

(quarantined).

C:\Documents and Settings\Anita\Cookies\anita@aavalue[1].txt

 

-> TrackingCookie.Aavalue : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@grouplotto.aavalue[1].txt ->

 

TrackingCookie.Aavalue : Cleaned.

C:\Documents and Settings\Anita\Cookies\anita@atdmt[2].txt ->

 

TrackingCookie.Atdmt : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@www.burstbeacon[2].txt ->

 

TrackingCookie.Burstbeacon : Cleaned.

C:\Documents and Settings\Anita\Cookies\anita@burstnet[2].txt

 

-> TrackingCookie.Burstnet : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@www.burstnet[1].txt ->

 

TrackingCookie.Burstnet : Cleaned.

C:\Documents and Settings\Anita\Cookies\anita@com[1].txt ->

 

TrackingCookie.Com : Cleaned.

C:\Documents and Settings\Anita\Cookies\anita@news.com[1].txt

 

-> TrackingCookie.Com : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@whitepapers.techrepublic.com[2].t

 

xt -> TrackingCookie.Com : Cleaned.

C:\Documents and Settings\Rey.SOJOURNER\Cookies\rey@com[1].txt

 

-> TrackingCookie.Com : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@doubleclick[2].txt ->

 

TrackingCookie.Doubleclick : Cleaned.

C:\Documents and

 

Settings\Rey.SOJOURNER\Cookies\rey@enhance[2].txt ->

 

TrackingCookie.Enhance : Cleaned.

C:\Documents and Settings\Anita\Cookies\anita@fastclick[2].txt

 

-> TrackingCookie.Fastclick : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@ehg-pcsecurityshield.hitbox[1].tx

 

t -> TrackingCookie.Hitbox : Cleaned.

C:\Documents and Settings\Anita\Cookies\anita@hitbox[2].txt ->

 

TrackingCookie.Hitbox : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@sales.liveperson[1].txt ->

 

TrackingCookie.Liveperson : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@server.lon.liveperson[1].txt ->

 

TrackingCookie.Liveperson : Cleaned.

C:\Documents and Settings\Anita\Cookies\anita@www.lop[1].txt

 

-> TrackingCookie.Lop : Cleaned.

C:\Documents and Settings\Anita\Cookies\anita@mediaplex[1].txt

 

-> TrackingCookie.Mediaplex : Cleaned.

C:\Documents and Settings\Anita\Cookies\anita@oewabox[2].txt

 

-> TrackingCookie.Oewabox : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@data2.perf.overture[2].txt ->

 

TrackingCookie.Overture : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@adopt.specificclick[2].txt ->

 

TrackingCookie.Specificclick : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@anat.tacoda[2].txt ->

 

TrackingCookie.Tacoda : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@login.tracking101[2].txt ->

 

TrackingCookie.Tracking101 : Cleaned.

C:\Documents and

 

Settings\Anita\Cookies\anita@tribalfusion[2].txt ->

 

TrackingCookie.Tribalfusion : Cleaned.

 

 

::Report end

Share this post


Link to post
Share on other sites

Very good!! :clap:

 

You can remove the files from the AVG AS Quarantine:

-Launch AVG AS and click the Infections button.

-Click the Quarantine tab

-Choose: Select All

-Click: Remove finally

-A window pops asking "Are you sure you want to remove the selected files...??"

-Select: Yes

 

 

Then, run ComboFix, provide the contents of the ComboFix report , and a new HijackThis log in your reply.

 

 

 

The entry on the HijackThis log that we are pretty sure relates to malware is:

O20 - AppInit_DLLs: 90.dll

 

However, would like to see if ComboFix picks it up.

Share this post


Link to post
Share on other sites

×
×
  • Create New...