Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91600 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Post Virus Problems


  • Please log in to reply
10 replies to this topic

#1 Tom Sellers

Tom Sellers

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 13 March 2007 - 08:22 PM

-had a virus infection Mitglieder.NK
-Ran AVG and GData to clean
-Problems remaining: can't boot into safe mode, cant install Norton or Kaspersky because installation folder is write-protected as soon as it is created.
- Start-cop reported plscd.exe was executing so cleaned the registry of it.
- Here is the logfile subsequent to the above:
(BTW, many thanks to those who devote so much time to helping everyone here)

Logfile of HijackThis v1.97.7
Scan saved at 8:05:40 PM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\WINDOWS\system32\hpb2ksrv.exe
D:\WINDOWS\system32\hpbhksrv.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\WINDOWS\system32\oodag.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\system32\wwSecure.exe
D:\Program Files\FaxTalk Messenger Pro 7.0\FTMSGSVC.EXE
D:\Program Files\FaxTalk Messenger Pro 7.0\FAPIEXE.EXE
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\hpnra.exe
D:\WINDOWS\system32\hpstatus.exe
D:\Program Files\Java\jre1.5.0_09\bin\javaw.exe
D:\Program Files\FaxTalk Messenger Pro 7.0\FTClCtrl.exe
D:\WINDOWS\system32\HPBSPSVR.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\WINDOWS\system32\HPBJDSNT.EXE
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
D:\Program Files\PC Magazine Utilities\Startup Cop Pro\StartupCopPro.exe
D:\Program Files\FaxTalk Messenger Pro 7.0\FTMSGR32.EXE
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
c:\PROGRA~1\POPFile\popfileib.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Program Files\Skype\Plugin Manager\SkypePM.exe
D:\Program Files\BitTorrent\bittorrent.exe
D:\WINDOWS\system32\msiexec.exe
C:\Downloads_2007\Virus Tools\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Scandoo Toolbar - {079AC330-0A09-404c-8CA0-ABAC82F0A312} - D:\Program Files\Scansafe\Scandoo Toolbar\ScandooToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HP Network Registry Agent] D:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] D:\WINDOWS\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] "D:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk"
O4 - HKLM\..\Run: [FaxTalk Messenger Pro 7.0] "D:\Program Files\FaxTalk Messenger Pro 7.0\FTClCtrl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [FaxTalk CallControl 7.0] "D:\Program Files\FaxTalk Messenger Pro 7.0\FTClCtrl.exe" /noicon
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "D:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [StartupCop Pro Startup Launcher] D:\Program Files\PC Magazine Utilities\Startup Cop Pro\StartupCopPro.exe /startup
O4 - Startup: FaxTalk Messenger Pro 7.0.lnk = ?
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar (HKLM)
O9 - Extra button: Skype (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://61.66.158.124:1025/VatDec.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.co...amPlayerOCX.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm....ntent/AcpIR.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 22 March 2007 - 05:45 PM

Hello and Welcome to the Forum.

Please delete any HijackThis Folders and Files you have now.Use Add/Remove Programs and remove HijackThis. What you have now is out dated.

you can get a complete installer that installs HijackThis to C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut from http://downloads.mal...om/HJTsetup.exe.

Click on the link and select Save, save it to your desktop and double click HJTsetup.exe.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here please use the [Add Reply] button below.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Tom Sellers

Tom Sellers

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 22 March 2007 - 05:58 PM

Thanks,

Just got another SPAM abuse message from Telus so it looks like something is still active.

Logfile of HijackThis v1.99.1
Scan saved at 5:52:45 PM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\WINDOWS\system32\hpb2ksrv.exe
D:\WINDOWS\system32\hpbhksrv.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE
D:\WINDOWS\system32\oodag.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\system32\wwSecure.exe
D:\Program Files\FaxTalk Messenger Pro 7.0\FTMSGSVC.EXE
D:\Program Files\FaxTalk Messenger Pro 7.0\FAPIEXE.EXE
D:\Program Files\Danware Data\NetOp Remote Control\Host\NHSTW32.EXE
D:\Program Files\Danware Data\NetOp Remote Control\Host\nldrw32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\hpnra.exe
D:\WINDOWS\system32\hpstatus.exe
D:\Program Files\Java\jre1.5.0_09\bin\javaw.exe
D:\Program Files\FaxTalk Messenger Pro 7.0\FTClCtrl.exe
D:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\WINDOWS\system32\HPBSPSVR.EXE
D:\Program Files\BitTorrent\bittorrent.exe
D:\WINDOWS\system32\HPBJDSNT.EXE
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
D:\Program Files\PC Magazine Utilities\Startup Cop Pro\StartupCopPro.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Program Files\FaxTalk Messenger Pro 7.0\FTMSGR32.EXE
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\POPFile\popfileib.exe
D:\Program Files\Skype\Plugin Manager\SkypePM.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
D:\Program Files\Password Administrator\PwdAdmin.exe
D:\PROGRA~1\FAXTAL~1.0\FTPrnSvr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\hh.exe
C:\Program Files\WhereIsIt\WhereIsIt.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mininova.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Scandoo Toolbar - {079AC330-0A09-404c-8CA0-ABAC82F0A312} - D:\Program Files\Scansafe\Scandoo Toolbar\ScandooToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HP Network Registry Agent] D:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] D:\WINDOWS\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] "D:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk"
O4 - HKLM\..\Run: [FaxTalk Messenger Pro 7.0] "D:\Program Files\FaxTalk Messenger Pro 7.0\FTClCtrl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [FaxTalk CallControl 7.0] "D:\Program Files\FaxTalk Messenger Pro 7.0\FTClCtrl.exe" /noicon
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AVKTray] "D:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "D:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [StartupCop Pro Startup Launcher] D:\Program Files\PC Magazine Utilities\Startup Cop Pro\StartupCopPro.exe /startup
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: FaxTalk Messenger Pro 7.0.lnk = ?
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI

RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI

RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://61.66.158.124:1025/VatDec.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.syma...n/bin/cabsa.cab
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.co...amPlayerOCX.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm....ntent/AcpIR.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVKProxy - G DATA Software AG - D:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: FaxTalk Messenger Pro 7.0 - Thought Communications, Inc. - D:\Program Files\FaxTalk Messenger Pro 7.0\FTMSGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Status - Hewlett-Packard Company - D:\WINDOWS\system32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - D:\WINDOWS\system32\hpbhksrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NetOp Helper ver. 9.00 (2006157) (NetOp Host for NT Service) - Danware Data A/S - D:\Program Files\Danware Data\NetOp Remote

Control\Host\NHOSTSVC.EXE
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec2\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Unknown owner - D:\Program Files\Symantec2\Rtvscan.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - D:\WINDOWS\system32\wwSecure.exe

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 22 March 2007 - 06:04 PM

Before posting a new HJT log, please uncheck Word Wrap in Notepad.

Your log isn't showing anything so we'll have to search and see what we find.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download AVG Anti-Spyware from HERE and save that file to your
desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop
    and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition
    files.
  • On the main screen select the icon "Update" then select the "
    Update now
    " link.
    • Next select the "Start Update" button, the update will start and a
      progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of
    the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then
    select " "Quarantine" .".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting
    your computer and continually tapping the F8 key until a menu appears.

    Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or
    programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab
    then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little
    time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all
    actions
    "
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the
    screen and save it to a text file on your system (make sure to remember where
    you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the
    results of the AVG Anti-Spyware report scan along with a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 Tom Sellers

Tom Sellers

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 22 March 2007 - 07:09 PM

Thanks for that, herein lies the problem. THe nature of that virus was to disable my ability to boot into safe mode. Following serval posts I found about this problem I tried to clean the registry etc., but so far I have still been unable to boot into safe mode. THis virus also disables your ability to install some anti virus programs, such as Norton and Kaspersky. However, there may be another option. I am able to booot onto WIndows 2003 Server on this machine, maybe I can get into safe mode and scan the drives that way.

#6 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 22 March 2007 - 07:10 PM

Scan in Normal Mode if you have to

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 Tom Sellers

Tom Sellers

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 23 March 2007 - 09:51 AM

Thanks again for looking at this.

I did the following:

Booted into Safe mode with Win3K on the same machine and did an entire system scan, AVG Report #1. Then I went back onto XP in normal mode because I cannot boot into safe mode, and did a scan of the registry and memory, AVG report #2. THen I did a new Hijack log as instructed, Report #3:

#1:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:10:06 AM 3/23/2007

+ Scan result:



C:\Program Files\BullsEye Network -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\BullsEye Network\ad.dat -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\BullsEye Network\bin -> Adware.BargainBuddy : Cleaned with backup (quarantined).
HKU\S-1-5-21-3846604387-264088977-1085992075-500\Software\LocalNRD -> Adware.BetterInternet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WinCommX.Installer -> Adware.BlazeFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WinCommX.Installer\CLSID -> Adware.BlazeFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-3846604387-264088977-1085992075-500\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Program Files\ISTsvc -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ISTactivex.Installer -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ISTactivex.Installer.2 -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ISTactivex.Installer.2\CLSID -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ISTactivex.Installer\CLSID -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ISTactivex.Installer\CurVer -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Adware.ISTBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-3846604387-264088977-1085992075-500\Software\IST -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator.NS3\Start Menu\Programs\Power Scan -> Adware.PowerScan : Cleaned with backup (quarantined).
C:\Program Files\Power Scan -> Adware.PowerScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO -> Adware.VX2 : Cleaned with backup (quarantined).
D:\Documents and Settings\John.MPARAM-2006\Desktop\PDA Programs\AVS Video Tools\AVS Video Tools 5.2.2.25 Fr Incl. AVS Vidéo Converter 4.4.2.393 + WinAVI Video Converter 7.1.1 Fr + FairUse Wizard 2.4 Fr + VirtualDub 1.6.9 Fr\FairUse Wizard 2.4 Fr.exe -> Logger.Ransom.a : Cleaned with backup (quarantined).
D:\Documents and Settings\John.MPARAM-2006\Desktop\PDA Programs\FairUse Wizard\FairUse.Wizard.v2.5.Multilingual-DVT\Setup\Setup.exe -> Logger.Ransom.a : Cleaned with backup (quarantined).
C:\Downloads 2006-2\Quickbooks and Quicktax 2006\Quicktax 2005.zip/Quicktax 2006/quicktax 2005 crack (2006.1.16) Volume ID=18D7-5FED.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
F:\MicroDrive\Quicktax2005\Crack\QuickTax 2005 (2006.2.13) Final Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
F:\MicroDrive\Quicktax2005\Crack\quicktax 2005 crack (2006.1.16) Volume ID=18D7-5FED.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\Documents and Settings\John.MPARAM-2006\Local Settings\Temp\Cookies\john@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
D:\Documents and Settings\John.MPARAM-2006\Local Settings\Temp\Cookies\john@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
F:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\Low\john@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator.NS3\Cookies\administrator@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Administrator.NS3\Cookies\administrator@ehg-mybc.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator.NS3\Cookies\administrator@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\John.MPARAM-2006\Local Settings\Temp\Cookies\john@ehg-superwarehouse.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\John.MPARAM-2006\Local Settings\Temp\Cookies\john@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\John.MPARAM-2006\Local Settings\Temp\Cookies\john@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end

Report #2:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:33:49 AM 3/23/2007

+ Scan result:



D:\Documents and Settings\John.MPARAM-2006\Cookies\john@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
D:\Documents and Settings\John.MPARAM-2006\Cookies\john@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.


::Report end

Report #3:
Logfile of HijackThis v1.99.1
Scan saved at 9:45:45 AM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\WINDOWS\system32\hpb2ksrv.exe
D:\WINDOWS\system32\hpbhksrv.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\WINDOWS\system32\oodag.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\system32\wwSecure.exe
D:\Program Files\FaxTalk Messenger Pro 7.0\FTMSGSVC.EXE
D:\Program Files\FaxTalk Messenger Pro 7.0\FAPIEXE.EXE
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\hpnra.exe
D:\WINDOWS\system32\hpstatus.exe
D:\Program Files\Java\jre1.5.0_09\bin\javaw.exe
D:\Program Files\FaxTalk Messenger Pro 7.0\FTClCtrl.exe
D:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\BitTorrent\bittorrent.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
D:\Program Files\PC Magazine Utilities\Startup Cop Pro\StartupCopPro.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\WINDOWS\system32\HPBSPSVR.EXE
D:\WINDOWS\system32\HPBJDSNT.EXE
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
c:\PROGRA~1\POPFile\popfileib.exe
D:\Program Files\Skype\Plugin Manager\SkypePM.exe
c:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mininova.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Scandoo Toolbar - {079AC330-0A09-404c-8CA0-ABAC82F0A312} - D:\Program Files\Scansafe\Scandoo Toolbar\ScandooToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HP Network Registry Agent] D:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] D:\WINDOWS\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] "D:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk"
O4 - HKLM\..\Run: [FaxTalk Messenger Pro 7.0] "D:\Program Files\FaxTalk Messenger Pro 7.0\FTClCtrl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [FaxTalk CallControl 7.0] "D:\Program Files\FaxTalk Messenger Pro 7.0\FTClCtrl.exe" /noicon
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AVKTray] "D:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "c:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "D:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [StartupCop Pro Startup Launcher] D:\Program Files\PC Magazine Utilities\Startup Cop Pro\StartupCopPro.exe /startup
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: FaxTalk Messenger Pro 7.0.lnk = ?
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://61.66.158.124:1025/VatDec.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.co...amPlayerOCX.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm....ntent/AcpIR.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVKProxy - G DATA Software AG - D:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: FaxTalk Messenger Pro 7.0 - Thought Communications, Inc. - D:\Program Files\FaxTalk Messenger Pro 7.0\FTMSGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Status - Hewlett-Packard Company - D:\WINDOWS\system32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - D:\WINDOWS\system32\hpbhksrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NetOp Helper ver. 9.00 (2006157) (NetOp Host for NT Service) - Danware Data A/S - D:\Program Files\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec2\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Unknown owner - D:\Program Files\Symantec2\Rtvscan.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - D:\WINDOWS\system32\wwSecure.exe

#8 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 23 March 2007 - 03:22 PM

I suggest you do this:


With AVG Anti-Spyware, if you click on the Infections icon, then it will show you all the items in Quarrantine and you can remove them that way. Just click Select All (if all of the items in quarrantine need removing) then Remove Finally

Please do not delete anything unless instructed to.

Fix this dead one.

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Close ALL windows and browsers except HijackThis and click "Fix checked"



Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 Tom Sellers

Tom Sellers

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 23 March 2007 - 09:22 PM

Thanks for that. Completed actions as described above. Then tested some previous problems: -Cannot boot into safe mode. -Popfile causes BSOD when executed or reinstalled. -If you try to install Norton or Kaspersky, as soon as the program creates a folder to install to, it makes the folder read only. Attempts to change attributes do not work. -IE Browser window loses and regains focus while you are typing into it. -Received another SPAM complaint that my IP is being used as a SPAM server yesterday from the ISP. These problems all remain unfortunately. Wondering if these can be problems left over from previous infection, or if the virus is still present. In the case of something preventing the attributes on any folder Symantec or Kaspersky tries to create, seems to indicate something is still active. However, I also have to consider whether the only remaining option is to reinstall an OS and start from scratch, however even in that case, would I be reintroducing the same problem if the virus is still hiding in my data or some program files.

#10 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 24 March 2007 - 06:32 AM

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 31 March 2007 - 05:03 AM

How are you doing with the fix?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users