Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]Ofoto Print@home Activex Control And Outerinfo Popups


  • This topic is locked This topic is locked
14 replies to this topic

#1 michlc203

michlc203

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 12 August 2007 - 11:22 AM

I am getting pop ups from some high speed internet thing and outerinfo. In my change/remove programs there is an ofoto print@home activex control that will not let me remove. the error shows the file axhomepr.inf. The pop ups are coming in like crazy and wondering if i could get some help.

Thanks so much.


Logfile of HijackThis v1.99.1
Scan saved at 1:12:02 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USBToolbox\Res.EXE
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\PPPATC~1\lsass.exe
C:\Program Files\ISM\ISMModule2.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\??mantec\m?hta.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18FBF4CB-3A09-18FC-7870-35B67A4FA5C6} - C:\WINDOWS\system32\fbocw.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [pas_check] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ealb] "C:\PROGRA~1\COMMON~1\PPPATC~1\lsass.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKCU\..\Run: [Rsf] C:\WINDOWS\system32\??mantec\m?hta.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm565YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.liv...es/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175897635593
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://74.246.6.125/...in/h263ctrl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

Edited by michlc203, 12 August 2007 - 11:28 AM.

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 August 2007 - 11:26 AM

Hello and welcome to the forums

I don't see a anti-virus program running. Get this free one.

Click HERE and Save, Install, Update and run a full scan.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 michlc203

michlc203

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 12 August 2007 - 11:41 AM

here is the comobfix log

ComboFix 07-08-09.3 - "Owner" 2007-08-12 13:28:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.421 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\FindIt.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\FindItHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\findithotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\finditxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Highlight.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\HighlightHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\highlighthotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\highlightxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\logo.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\logoxp.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Reference.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\ReferenceHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\referencehotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\referencexp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\screensaver.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Screensavers0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Weather.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\weatherhotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\weatherxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\Travel.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\Games\images\active\Games0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\images\walertXP.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\Movies\images\active\Movies0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\ProductMessagingConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\SimpleUpdateConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\TimerManagerConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\TimerManagerConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\FindIt.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\FindItHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\findithotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\finditxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Highlight.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\HighlightHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\highlighthotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\highlightxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\logo.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\logoxp.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Reference.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\ReferenceHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\referencehotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\referencexp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\screensaver.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Screensavers0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Weather.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\weatherhotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\weatherxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\Travel.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\Games\images\active\Games0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\images\walertXP.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\Movies\images\active\Movies0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\ProductMessagingConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\SimpleUpdateConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\TimerManagerConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\TimerManagerConfig.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\BrowserSearch\BrowserSearch.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\BrowserSearch\BrowserSearch.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Configurator\Configurator.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Configurator\Configurator.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\ErrorSearch\ErrorSearchOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\ErrorSearch\ErrorSearchOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Games\GamesOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Games\GamesOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Layouts\PitchLayout.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Layouts\PitchLayout.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Layouts\ToolbarLayout.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Layouts\ToolbarLayout.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Manager\ManagerOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Manager\ManagerOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Movies\MoviesOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Movies\MoviesOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Reference\ReferenceOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Reference\ReferenceOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\RelatedSearch\RelatedSearchOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\RelatedSearch\RelatedSearchOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Screensavers\ScreensaversOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Screensavers\ScreensaversOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\SearchMatch\SearchMatchOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\SearchMatch\SearchMatchOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Toolbar\TBProductsOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Toolbar\TBProductsOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\ToolbarLogo\ToolbarLogoOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\ToolbarSearch\ToolbarSearchOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\TravelSearch\TravelSearchOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\TravelSearch\TravelSearchOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Weather\AlertArchive.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Weather\WeatherOptions.xml
C:\DOCUME~1\Owner\APPLIC~1.\Starware316\Weather\WeatherOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\BrowserSearch\BrowserSearch.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\BrowserSearch\BrowserSearch.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Configurator\Configurator.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Configurator\Configurator.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\ErrorSearch\ErrorSearchOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\ErrorSearch\ErrorSearchOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Games\GamesOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Games\GamesOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Layouts\PitchLayout.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Layouts\PitchLayout.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Layouts\ToolbarLayout.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Layouts\ToolbarLayout.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Manager\ManagerOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Manager\ManagerOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Movies\MoviesOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Movies\MoviesOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Reference\ReferenceOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Reference\ReferenceOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\RelatedSearch\RelatedSearchOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\RelatedSearch\RelatedSearchOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Screensavers\ScreensaversOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Screensavers\ScreensaversOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\SearchMatch\SearchMatchOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\SearchMatch\SearchMatchOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Toolbar\TBProductsOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Toolbar\TBProductsOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\ToolbarLogo\ToolbarLogoOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\ToolbarSearch\ToolbarSearchOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\TravelSearch\TravelSearchOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\TravelSearch\TravelSearchOptions.xml.backup
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Weather\AlertArchive.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Weather\WeatherOptions.xml
C:\DOCUME~1\Owner\APPLIC~1\Starware316\Weather\WeatherOptions.xml.backup
C:\DOCUME~1\Owner\STARTM~1\Programs.\Outerinfo
C:\DOCUME~1\Owner\STARTM~1\Programs.\Outerinfo\Terms.lnk
C:\DOCUME~1\Owner\STARTM~1\Programs.\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\pppatc~1\?ppPatch\
C:\Program Files\Common Files\pppatc~1\lsass.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\ISM
C:\Program Files\ISM\ISMModule2.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\system32\fbocw.dll
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\mantec~1\m?hta.exe
C:\WINDOWS\system32\wtssu.exe
D:\Autorun.inf


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-12 13:28 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 10:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SpinTop Games
2007-08-05 23:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear
2007-08-05 12:35 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-07-31 11:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\DiVision Studios - Escaping Atlantis
2007-07-31 00:07 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Big Fish Games
2007-07-30 17:27 17 --a------ C:\WINDOWS\popcinfo.dat
2007-07-24 16:11 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-23 23:44 4,096 --a------ C:\WINDOWS\d3dx.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 11:45 --------- d-------- C:\Program Files\Oberon Media
2007-05-16 11:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2005-05-13 21:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 15:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 01:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 23:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 16:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 19:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 02:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-05-08 22:45:47 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-04-27 14:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 17:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 12:32]
"nwiz"="nwiz.exe" [2005-09-18 12:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 12:32]
"CHotkey"="zHotkey.exe" [2004-12-08 21:57 C:\WINDOWS\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 21:07 C:\WINDOWS\system32\HdAShCut.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 09:09]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 15:38 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [2005-09-14 15:38 C:\WINDOWS\ALCMTR.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-03 13:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-31 23:53]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"USB Storage Toolbox"="C:\Program Files\USBToolbox\Res.EXE" [2002-01-15 10:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2005-05-19 17:59]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24]
"Aim6"="" []
"Ealb"="C:\PROGRA~1\COMMON~1\PPPATC~1\lsass.exe" []
"ISMModule2"="C:\Program Files\ISM\ISMModule2.exe" []
"Rsf"="C:\WINDOWS\system32\??mantec\m?hta.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-01-31 23:52:14]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-05-31 13:29:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{283b87f1-92d3-11da-9815-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7132c538-46a8-11dc-b128-00161719a655}]
AutoRun\command- J:\LaunchU3.exe -a


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 13:31:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-12 13:33:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-12 13:33

--- E O F ---

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 August 2007 - 11:55 AM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\popcinfo.dat
C:\PROGRA~1\COMMON~1\PPPATC~1\lsass.exe
C:\WINDOWS\system32\??mantec\m?hta.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ealb"=-
"Rsf"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{283b87f1-92d3-11da-9815-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7132c538-46a8-11dc-b128-00161719a655}]


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 michlc203

michlc203

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 12 August 2007 - 12:10 PM

I am in the process of running the avg free edition scan. i missed doing that before the cleaner and combofix. does that mean i should run the cleaner and the combofix again after that is done scanning?

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 August 2007 - 12:14 PM

Run the last fix I posted.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 michlc203

michlc203

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 12 August 2007 - 12:24 PM

i know i ran the combofix but there are no icons for combofix or the script i just saved so i'm not sure how the drag the script to the combofix

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 August 2007 - 12:26 PM

i know i ran the combofix but there are no icons for combofix or the script i just saved so i'm not sure how the drag the script to the combofix


Download ComboFix from Here to your Desktop.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 michlc203

michlc203

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 12 August 2007 - 12:40 PM

ok here is the log

ComboFix 07-08-09.3 - "Owner" 2007-08-12 14:34:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.484 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\popcinfo.dat
C:\PROGRA~1\COMMON~1\PPPATC~1\lsass.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\popcinfo.dat


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-12 13:28 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 10:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SpinTop Games
2007-08-05 23:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear
2007-08-05 12:35 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-07-31 11:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\DiVision Studios - Escaping Atlantis
2007-07-31 00:07 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Big Fish Games
2007-07-24 16:11 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-23 23:44 4,096 --a------ C:\WINDOWS\d3dx.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 11:45 --------- d-------- C:\Program Files\Oberon Media
2007-05-16 11:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2005-05-13 21:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 15:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 01:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 23:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 16:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 19:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 02:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-05-08 22:45:47 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-04-27 14:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 17:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 12:32]
"nwiz"="nwiz.exe" [2005-09-18 12:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 12:32]
"CHotkey"="zHotkey.exe" [2004-12-08 21:57 C:\WINDOWS\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 21:07 C:\WINDOWS\system32\HdAShCut.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 09:09]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 15:38 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [2005-09-14 15:38 C:\WINDOWS\ALCMTR.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-03 13:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-31 23:53]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"USB Storage Toolbox"="C:\Program Files\USBToolbox\Res.EXE" [2002-01-15 10:23]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-12 13:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2005-05-19 17:59]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24]
"Aim6"="" []
"ISMModule2"="C:\Program Files\ISM\ISMModule2.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-01-31 23:52:14]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-05-31 13:29:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme


*Newly Created Service* - AVG7ALRT
*Newly Created Service* - AVG7CORE
*Newly Created Service* - AVG7RSW
*Newly Created Service* - AVG7RSXP
*Newly Created Service* - AVG7UPDSVC
*Newly Created Service* - AVGCLEAN
*Newly Created Service* - AVGEMS
*Newly Created Service* - AVGTDI
*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 14:35:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-12 14:36:05
C:\ComboFix-quarantined-files.txt ... 2007-08-12 14:35
C:\ComboFix2.txt ... 2007-08-12 14:26
C:\ComboFix3.txt ... 2007-08-12 13:33

--- E O F ---

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 August 2007 - 12:42 PM

Has the anti-virus scan completed?

When it's finished:


Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 michlc203

michlc203

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 12 August 2007 - 12:48 PM

yes the scan completed with 3 threats. trojan something.

the computer seems to be fine right now

here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 2:43:42 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USBToolbox\Res.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\bigfix.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm565YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.liv...es/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175897635593
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://74.246.6.125/...in/h263ctrl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 August 2007 - 12:54 PM

Only a few leftover resource hogs.

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete this File if listed:
C:\ALCMTR.EXE


After the above:

You can remove any programs / Tools I had you install. Use Add/Remove Programs to remove if listed there otherwise just delete them and empty recycle bin.

Log looks good :D


You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
    You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Download and install Ad-Aware.
    You should also scan your computer with this program on a regular basis
    just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    Using IE-SPYAD to help block unwanted sites and activities

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.
Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 michlc203

michlc203

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 12 August 2007 - 01:10 PM

thank you so much for your help. i am going to follow your last instructions now. thank you thank you!!!!

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 August 2007 - 01:12 PM

Great job :thumbup: You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 August 2007 - 01:12 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users