Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Permanent Pop Ups - Please help

Started by Lee Davis , Apr 26 2006 03:54 AM

  • This topic is locked This topic is locked
5 replies to this topic

#1 Lee Davis

Lee Davis

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 26 April 2006 - 03:54 AM

I have been inundated with pop ups appearing every minute & now I get a pop up from www.ad-w-a-r-e.com which cannot be closed & remains on top of all other apps. I have also has the Bloodhound virus alert which leads to a www.amaena.com advert to download Protection Center. I have run Norton, Trend, Spybot & adaware but still have not got rid of it.

Any assistance will be most gratefully received.

My hijack log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:16, on 26/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Business Objects\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Lee\LOCALS~1\Temp\Rar$EX00.360\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 91.0.10.86:8080
O1 - Hosts: 91.0.10.85 unix arista accounts
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [necmenu] C:\DRIVERS\NECMENU\necmenu.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://minisoftinc....bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CA77E53-81EE-4447-ABEC-F833EB46E63F}: NameServer = 91.0.10.79
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\q0nu0a59ed.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Advertisements

Register to Remove

#2 Danny_

Danny_

    Emeritus-The Malware Remover

  • Authentic Member
  • PipPipPipPipPip
  • 1,323 posts

Posted 29 April 2006 - 11:23 AM

Hi,

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of Look2Me-Destroyer.txt and a new HiJackThis log.
Danny :)
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Posted Image

Posted Image
Proud member of ASAP since 2005

#3 Lee Davis

Lee Davis

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 03 May 2006 - 06:25 AM

Hi Danny

Thanks for your reply. I have followed your instructions and here are the Look2Me Destroyer and Hijack This logs as requested


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 03/05/2006 12:24:02

Infected! C:\WINDOWS\system32\f6j20g1oe6.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP37\A0006109.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP39\A0006131.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP39\A0006132.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP40\A0006185.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP40\A0006186.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP41\A0006194.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP41\A0006195.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP42\A0006207.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP42\A0006208.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP46\A0006226.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP46\A0006227.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP47\A0006237.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP47\A0006238.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP49\A0006267.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP49\A0006268.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP50\A0006285.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP50\A0006286.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP50\A0006296.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP51\A0006329.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP51\A0006519.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP52\A0006592.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP52\A0006597.dll
Infected! C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP53\A0006601.dll
Infected! C:\WINDOWS\system32\dedskmgr.dll
Infected! C:\WINDOWS\system32\dyquery.dll
Infected! C:\WINDOWS\system32\f6j20g1oe6.dll
Infected! C:\WINDOWS\system32\ktrml7911.dll
Infected! C:\WINDOWS\system32\mvjtes40.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\f6j20g1oe6.dll
C:\WINDOWS\system32\f6j20g1oe6.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP37\A0006109.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP37\A0006109.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP39\A0006131.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP39\A0006131.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP39\A0006132.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP39\A0006132.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP40\A0006185.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP40\A0006185.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP40\A0006186.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP40\A0006186.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP41\A0006194.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP41\A0006194.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP41\A0006195.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP41\A0006195.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP42\A0006207.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP42\A0006207.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP42\A0006208.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP42\A0006208.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP46\A0006226.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP46\A0006226.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP46\A0006227.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP46\A0006227.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP47\A0006237.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP47\A0006237.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP47\A0006238.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP47\A0006238.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP49\A0006267.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP49\A0006267.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP49\A0006268.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP49\A0006268.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP50\A0006285.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP50\A0006285.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP50\A0006286.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP50\A0006286.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP50\A0006296.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP50\A0006296.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP51\A0006329.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP51\A0006329.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP51\A0006519.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP51\A0006519.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP52\A0006592.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP52\A0006592.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP52\A0006597.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP52\A0006597.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP53\A0006601.dll
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP53\A0006601.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dedskmgr.dll
C:\WINDOWS\system32\dedskmgr.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dyquery.dll
C:\WINDOWS\system32\dyquery.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\f6j20g1oe6.dll
C:\WINDOWS\system32\f6j20g1oe6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ktrml7911.dll
C:\WINDOWS\system32\ktrml7911.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mvjtes40.dll
C:\WINDOWS\system32\mvjtes40.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D81736D2-2874-4E75-ACC2-C4D70E762A79}"
HKCR\Clsid\{D81736D2-2874-4E75-ACC2-C4D70E762A79}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{318272CC-CB87-4224-B85E-7362E02E1170}"
HKCR\Clsid\{318272CC-CB87-4224-B85E-7362E02E1170}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


Logfile of HijackThis v1.99.1
Scan saved at 12:48:13, on 03/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Business Objects\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Lee\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://minisoftinc....bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CA77E53-81EE-4447-ABEC-F833EB46E63F}: NameServer = 91.0.10.79
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 Danny_

Danny_

    Emeritus-The Malware Remover

  • Authentic Member
  • PipPipPipPipPip
  • 1,323 posts

Posted 03 May 2006 - 03:37 PM

Hi,

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous re1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.
store points which are likely to be infected)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

If you wish to submit a complaint about malware, please click on the following image:

Posted Image

Have a safe and happy computing day!

Danny :thumbup:
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Posted Image

Posted Image
Proud member of ASAP since 2005

#5 Lee Davis

Lee Davis

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 05 May 2006 - 09:11 AM

Thanks for all your help Danny. The pop up issues has thankfully now gone!

#6 Danny_

Danny_

    Emeritus-The Malware Remover

  • Authentic Member
  • PipPipPipPipPip
  • 1,323 posts

Posted 06 May 2006 - 09:04 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Posted Image

Posted Image
Proud member of ASAP since 2005

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·