Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91637 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] The slowest computer on this planet


  • This topic is locked This topic is locked
18 replies to this topic

#1 excelserious

excelserious

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 24 May 2008 - 08:58 AM

Hello again guys. My computer got infested with deadly viruses recently, and with LDTate's help i got it fixed and its working perfectly fine!
Want to say thanks!
I have got another computer however, and this ones realllyyy slow and loaded with all sorts of rubbish softwares. I dont know which ones to delete and which ones to keep. Most of the times i dont delete them in case other important windows softwares start to malfunction ( it happened once before when i uninstalled norton i think). So yeah this computer is well slow and its most probably a nesting ground for malwares and spywares and so on.

I have followed all the ''before u post your hijackthis logs'' steps, downloaded ATFcleaner and ran that, downloaded malwarebytes and scanned the system with that, found a couple of infections, deleted them. Also ran HijackThis and got the log, which i am gonna post below.
Could you please tell me any further steps that i need to take and also which softwares i can remove from this system safely? Thanks. Really appreciate your efforts man.


My HijackThis log:






Logfile of HijackThis v1.99.1
Scan saved at 15:57:57, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://search.presar.../srchredir2.dll?

c=3C01&lc=0809&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = 60.208.64.177:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {00407B69-3B29-4AC2-98BF-7999AC07467A} -

(no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-

7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0

\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {144C0D53-A7AA-46F3-B655-90FA4C347AA1} -

(no file)
O2 - BHO: (no name) - {15FEE496-CDD0-468A-9182-BAE8FF3451AA}

- (no file)
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-

000000000000} - C:\Program Files\Common Files\ReGet

Shared\Catcher.dll
O2 - BHO: (no name) - {1A2BAE59-2A27-4356-8DD6-175B7A35B229} -

(no file)
O2 - BHO: (no name) - {2295D587-1F1F-46AB-A0E1-3D395AAA9029} -

(no file)
O2 - BHO: (no name) - {2C114700-A1D0-4B38-90A0-1FAE7BC66193} -

(no file)
O2 - BHO: (no name) - {2CED0917-F106-4D7A-BE28-81458160C549} -

(no file)
O2 - BHO: (no name) - {2E801EEA-8505-4446-B669-8482086A1EF1} -

(no file)
O2 - BHO: (no name) - {3475BF32-38F6-4B70-9EC4-73DBF2D42F0D} -

(no file)
O2 - BHO: (no name) - {37458183-DD8B-4FF9-A79E-8CDF42896563} -

(no file)
O2 - BHO: (no name) - {3A9DB4A6-E29C-4AE8-9C44-B058941EB5D0}

- (no file)
O2 - BHO: (no name) - {42A64A3F-C28D-41B7-90FF-FBDD03F3EBE2}

- (no file)
O2 - BHO: (no name) - {4501E05F-E0B8-4FCC-9513-059EE3A1D728} -

(no file)
O2 - BHO: (no name) - {4CD1A1E1-2031-472E-9A9A-EEC2698AC3E9}

- (no file)
O2 - BHO: (no name) - {4F392267-B6EF-4CA4-8AAF-ED1749373D34} -

(no file)
O2 - BHO: (no name) - {610DCB11-58EE-4FAC-91A1-2F62E6E7FC8A}

- (no file)
O2 - BHO: (no name) - {61B7CF66-2E6C-4384-9BC0-E9BA6C2D3D6C}

- (no file)
O2 - BHO: (no name) - {65B03447-D095-428B-B6FF-5236CBD7A209} -

(no file)
O2 - BHO: (no name) - {66AE2F28-F579-43D9-9938-4505B3840A55} -

(no file)
O2 - BHO: (no name) - {6A3995D8-0E7C-445D-9F03-2104752614C8} -

(no file)
O2 - BHO: (no name) - {6C78A124-AD16-4DE9-8D72-CEF30903B883} -

(no file)
O2 - BHO: (no name) - {6CB3CB69-A491-4DC6-987E-A3A0A968B18B}

- (no file)
O2 - BHO: (no name) - {6E534804-782C-4613-9085-2EE3A885AF2C} -

(no file)
O2 - BHO: (no name) - {7234F4D3-FABF-4DAB-ACF6-2E44AD51F22E}

- (no file)
O2 - BHO: (no name) - {72924C96-0059-43A6-B3F6-A5546707A2E3} -

(no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {77D5C4D1-6D0C-4B17-8725-A1CB396C50E0}

- (no file)
O2 - BHO: (no name) - {7C227956-D1F1-4D5D-B0D5-2F541A7B1D3C}

- (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} -

(no file)
O2 - BHO: (no name) - {83930191-B0E7-47FE-8DDC-1C44F02945F9} -

(no file)
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} -

C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: (no name) - {85B406C2-9D6F-495C-A48F-6B01B128EE9D} -

(no file)
O2 - BHO: wssclient - {8D99D2A3-317C-4929-8A5D-21140259D93A} -

c:\PROGRA~1\wss.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-

8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9ACD96C1-754A-4557-8C13-2725253B3536} -

(no file)
O2 - BHO: (no name) - {9C9ABD32-87DC-4327-BEAE-

E3CCC73F93A5} - (no file)
O2 - BHO: (no name) - {A2C8C327-9822-4537-B8C0-B0590CCCAA10}

- (no file)
O2 - BHO: (no name) - {A332DE9A-BC6B-4AF9-9A59-388FAF93E681}

- (no file)
O2 - BHO: (no name) - {A47862A2-4AE6-4572-9026-4C41D347D4B4} -

(no file)
O2 - BHO: (no name) - {A7853404-E817-4419-9311-B947CCC3098E} -

(no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

(no file)
O2 - BHO: (no name) - {ADAA7F86-3933-42D2-9E68-04C859A07FAD} -

(no file)
O2 - BHO: (no name) - {B1AB473F-3436-49DA-9E87-3410DDADAD94}

- (no file)
O2 - BHO: (no name) - {B3811E84-5EE5-4C03-991C-D79A47CCBC81}

- (no file)
O2 - BHO: (no name) - {B9357E5D-25D8-4EE7-BC25-EDED800AE258}

- (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872}

- (no file)
O2 - BHO: (no name) - {C06646C3-E962-442B-91AA-584F09497A25} -

(no file)
O2 - BHO: (no name) - {CB63A18C-8E76-4C6F-9E34-678064B1BC72} -

(no file)
O2 - BHO: (no name) - {CCDCA588-8904-4600-8462-22CAC96B4E2C}

- (no file)
O2 - BHO: (no name) - {D59AF09B-95EE-4D3D-8A3E-D400450C4874}

- (no file)
O2 - BHO: (no name) - {DEE59238-A9FF-43BF-AE59-F26949979E70} -

(no file)
O2 - BHO: (no name) - {DF01E5DC-82A6-4944-B696-DA3311787905} -

(no file)
O2 - BHO: (no name) - {E56F7F2C-859F-4DF3-AAA9-85C91DA45028} -

(no file)
O2 - BHO: (no name) - {ED6DBF7B-D30A-4657-BF4A-673C61D13F78}

- (no file)
O2 - BHO: (no name) - {F88AE11E-175F-45D3-A673-FC483680AE41} -

(no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-

7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655}

- (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-

56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-

10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-

CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy

Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Disc Detector] C:\Program

Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32

\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriveDiscoveryMemoryResident] C:\Program

Files\NotsoSoftware\DriveDiscovery\NSSMR.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!

\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus!

3\MsgPlus.exe" /WinStart
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: AdsGone 2006.lnk = C:\Program

Files\AdsGone\adsgone.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program

Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe -

C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Download Link Using Mega Manager... -

C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List -

res://C:\Program Files\Canon\Easy-

WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -

res://C:\Program Files\Canon\Easy-

WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-

11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05

\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-

f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file

missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-

4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-

81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-

BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file

missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-

F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.answers.com
O15 - Trusted Zone: www.bollywoodheaven.com
O15 - Trusted Zone: http://www.google.co.uk
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java

Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java

Plug-in 1.5.0_11) -
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awvepa - C:\WINDOWS\Fonts\awvepa.dll (file

missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32

\WgaLogon.dll
O20 - Winlogon Notify: winstd32 - winstd32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file

missing)
O23 - Service: Symantec Password Validation Service (ccPwdSvc) -

Unknown owner - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative

Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050

\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -

Unknown owner - C:\Program Files\Norton SystemWorks\Norton

AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton Internet Security Service (NISSERV) - Unknown

owner - C:\Program Files\Norton Internet Security\NISSERV.EXE (file

missing)
O23 - Service: Norton Internet Security Accounts Manager (NISUM) -

Unknown owner - C:\Program Files\Norton Internet Security\NISUM.EXE

(file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown

owner - C:\Program Files\Norton SystemWorks\Norton

Utilities\NPROTECT.EXE (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental)

(rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f

"%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file

missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown

owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

(file missing)
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1

\NORTON~1\SPEEDD~1\nopdb.exe (file missing)
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) -

Unknown owner - C:\Program Files\Norton Internet

Security\SymProxySvc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner -

C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe (file missing)
O23 - Service: System Out (SystemOutService) - Unknown owner -

C:\WINDOWS\system32\systemout.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 24 May 2008 - 09:20 AM

Open Notepad, click on Format and uncheck Word Wrap.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here [Add Reply].

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 excelserious

excelserious

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 24 May 2008 - 09:31 AM

Heyyy LDTate its you again! Nice to see you man i feel like my problems are gone already! :D :notworthy:

I opened notepad and did as you said, then ran HijackThis Scan, the log came up as another notepad file, and when i clicked on FORMAT in the log window, the WORD WRAP was still checked, so i clicked on EDIT and then SELECT ALL, and then on FORMAT and unchecked WORD WRAP just like you wanted it. Dont know if i was meant to do that or not, but heres my log from UNCHECKED WORD WRAP format.


New HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 16:27:00, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...c...rch&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.208.64.177:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {00407B69-3B29-4AC2-98BF-7999AC07467A} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {144C0D53-A7AA-46F3-B655-90FA4C347AA1} - (no file)
O2 - BHO: (no name) - {15FEE496-CDD0-468A-9182-BAE8FF3451AA} - (no file)
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {1A2BAE59-2A27-4356-8DD6-175B7A35B229} - (no file)
O2 - BHO: (no name) - {2295D587-1F1F-46AB-A0E1-3D395AAA9029} - (no file)
O2 - BHO: (no name) - {2C114700-A1D0-4B38-90A0-1FAE7BC66193} - (no file)
O2 - BHO: (no name) - {2CED0917-F106-4D7A-BE28-81458160C549} - (no file)
O2 - BHO: (no name) - {2E801EEA-8505-4446-B669-8482086A1EF1} - (no file)
O2 - BHO: (no name) - {3475BF32-38F6-4B70-9EC4-73DBF2D42F0D} - (no file)
O2 - BHO: (no name) - {37458183-DD8B-4FF9-A79E-8CDF42896563} - (no file)
O2 - BHO: (no name) - {3A9DB4A6-E29C-4AE8-9C44-B058941EB5D0} - (no file)
O2 - BHO: (no name) - {42A64A3F-C28D-41B7-90FF-FBDD03F3EBE2} - (no file)
O2 - BHO: (no name) - {4501E05F-E0B8-4FCC-9513-059EE3A1D728} - (no file)
O2 - BHO: (no name) - {4CD1A1E1-2031-472E-9A9A-EEC2698AC3E9} - (no file)
O2 - BHO: (no name) - {4F392267-B6EF-4CA4-8AAF-ED1749373D34} - (no file)
O2 - BHO: (no name) - {610DCB11-58EE-4FAC-91A1-2F62E6E7FC8A} - (no file)
O2 - BHO: (no name) - {61B7CF66-2E6C-4384-9BC0-E9BA6C2D3D6C} - (no file)
O2 - BHO: (no name) - {65B03447-D095-428B-B6FF-5236CBD7A209} - (no file)
O2 - BHO: (no name) - {66AE2F28-F579-43D9-9938-4505B3840A55} - (no file)
O2 - BHO: (no name) - {6A3995D8-0E7C-445D-9F03-2104752614C8} - (no file)
O2 - BHO: (no name) - {6C78A124-AD16-4DE9-8D72-CEF30903B883} - (no file)
O2 - BHO: (no name) - {6CB3CB69-A491-4DC6-987E-A3A0A968B18B} - (no file)
O2 - BHO: (no name) - {6E534804-782C-4613-9085-2EE3A885AF2C} - (no file)
O2 - BHO: (no name) - {7234F4D3-FABF-4DAB-ACF6-2E44AD51F22E} - (no file)
O2 - BHO: (no name) - {72924C96-0059-43A6-B3F6-A5546707A2E3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {77D5C4D1-6D0C-4B17-8725-A1CB396C50E0} - (no file)
O2 - BHO: (no name) - {7C227956-D1F1-4D5D-B0D5-2F541A7B1D3C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83930191-B0E7-47FE-8DDC-1C44F02945F9} - (no file)
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: (no name) - {85B406C2-9D6F-495C-A48F-6B01B128EE9D} - (no file)
O2 - BHO: wssclient - {8D99D2A3-317C-4929-8A5D-21140259D93A} - c:\PROGRA~1\wss.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9ACD96C1-754A-4557-8C13-2725253B3536} - (no file)
O2 - BHO: (no name) - {9C9ABD32-87DC-4327-BEAE-E3CCC73F93A5} - (no file)
O2 - BHO: (no name) - {A2C8C327-9822-4537-B8C0-B0590CCCAA10} - (no file)
O2 - BHO: (no name) - {A332DE9A-BC6B-4AF9-9A59-388FAF93E681} - (no file)
O2 - BHO: (no name) - {A47862A2-4AE6-4572-9026-4C41D347D4B4} - (no file)
O2 - BHO: (no name) - {A7853404-E817-4419-9311-B947CCC3098E} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {ADAA7F86-3933-42D2-9E68-04C859A07FAD} - (no file)
O2 - BHO: (no name) - {B1AB473F-3436-49DA-9E87-3410DDADAD94} - (no file)
O2 - BHO: (no name) - {B3811E84-5EE5-4C03-991C-D79A47CCBC81} - (no file)
O2 - BHO: (no name) - {B9357E5D-25D8-4EE7-BC25-EDED800AE258} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {C06646C3-E962-442B-91AA-584F09497A25} - (no file)
O2 - BHO: (no name) - {CB63A18C-8E76-4C6F-9E34-678064B1BC72} - (no file)
O2 - BHO: (no name) - {CCDCA588-8904-4600-8462-22CAC96B4E2C} - (no file)
O2 - BHO: (no name) - {D59AF09B-95EE-4D3D-8A3E-D400450C4874} - (no file)
O2 - BHO: (no name) - {DEE59238-A9FF-43BF-AE59-F26949979E70} - (no file)
O2 - BHO: (no name) - {DF01E5DC-82A6-4944-B696-DA3311787905} - (no file)
O2 - BHO: (no name) - {E56F7F2C-859F-4DF3-AAA9-85C91DA45028} - (no file)
O2 - BHO: (no name) - {ED6DBF7B-D30A-4657-BF4A-673C61D13F78} - (no file)
O2 - BHO: (no name) - {F88AE11E-175F-45D3-A673-FC483680AE41} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriveDiscoveryMemoryResident] C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.answers.com
O15 - Trusted Zone: www.bollywoodheaven.com
O15 - Trusted Zone: http://www.google.co.uk
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awvepa - C:\WINDOWS\Fonts\awvepa.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winstd32 - winstd32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton Internet Security Service (NISSERV) - Unknown owner - C:\Program Files\Norton Internet Security\NISSERV.EXE (file missing)
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Unknown owner - C:\Program Files\Norton Internet Security\NISUM.EXE (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe (file missing)
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\SymProxySvc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: System Out (SystemOutService) - Unknown owner - C:\WINDOWS\system32\systemout.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 24 May 2008 - 09:37 AM

OK. We have some work to do.
This file [winwinPE.exe] indicates a nasty.
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe

W32/Rbot-AJL is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AJL spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), MSSQL (MS02-039) (CAN-2002-0649) and Veritas (CAN-2004-1172) and by copying itself to network shares protected by weak passwords.

W32/Rbot-AJL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

Do you use this pc for any financial use?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 excelserious

excelserious

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 24 May 2008 - 09:46 AM

Holy ...!!! Yes i have used this computer to make some online purchases in the past, its my brother who uses it mainly for online shopping and stuff. Does this mean that all his credit card details are out there on somebody elses computer? What could we do about that now?

#6 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 24 May 2008 - 09:52 AM

Holy ...!!! Yes i have used this computer to make some online purchases in the past, its my brother who uses it mainly for online shopping and stuff. Does this mean that all his credit card details are out there on somebody elses computer? What could we do about that now?

I don't believe the Rbot-AJL type is a password stealer, but when we're finished (clean pc) I want you to change ALL passwords.


Lets get rid of what we can using HJT first and go from there. I will post a HJT fix in a minute.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 excelserious

excelserious

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 24 May 2008 - 09:54 AM

Right okay thats great. Does it include all the hotmail accounts' passwords too yeah?

#8 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 24 May 2008 - 10:06 AM

Yes. ALL passwords.

This will be a good start

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove if listed:
MessengerPlus! 3

If you re-install Messanger, make sure to install MessengerPlus WITHOUT that "sponsor program"!



I don't like this ProxyServer = 60.208.64.177:8080
China Cncgroup Shandong Province Network
I can't see any reason you're using a proxyserver.


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.208.64.177:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {144C0D53-A7AA-46F3-B655-90FA4C347AA1} - (no file)
O2 - BHO: (no name) - {15FEE496-CDD0-468A-9182-BAE8FF3451AA} - (no file)
O2 - BHO: (no name) - {1A2BAE59-2A27-4356-8DD6-175B7A35B229} - (no file)
O2 - BHO: (no name) - {2295D587-1F1F-46AB-A0E1-3D395AAA9029} - (no file)
O2 - BHO: (no name) - {2C114700-A1D0-4B38-90A0-1FAE7BC66193} - (no file)
O2 - BHO: (no name) - {2CED0917-F106-4D7A-BE28-81458160C549} - (no file)
O2 - BHO: (no name) - {2E801EEA-8505-4446-B669-8482086A1EF1} - (no file)
O2 - BHO: (no name) - {3475BF32-38F6-4B70-9EC4-73DBF2D42F0D} - (no file)
O2 - BHO: (no name) - {37458183-DD8B-4FF9-A79E-8CDF42896563} - (no file)
O2 - BHO: (no name) - {3A9DB4A6-E29C-4AE8-9C44-B058941EB5D0} - (no file)
O2 - BHO: (no name) - {42A64A3F-C28D-41B7-90FF-FBDD03F3EBE2} - (no file)
O2 - BHO: (no name) - {4501E05F-E0B8-4FCC-9513-059EE3A1D728} - (no file)
O2 - BHO: (no name) - {4CD1A1E1-2031-472E-9A9A-EEC2698AC3E9} - (no file)
O2 - BHO: (no name) - {4F392267-B6EF-4CA4-8AAF-ED1749373D34} - (no file)
O2 - BHO: (no name) - {610DCB11-58EE-4FAC-91A1-2F62E6E7FC8A} - (no file)
O2 - BHO: (no name) - {61B7CF66-2E6C-4384-9BC0-E9BA6C2D3D6C} - (no file)
O2 - BHO: (no name) - {65B03447-D095-428B-B6FF-5236CBD7A209} - (no file)
O2 - BHO: (no name) - {66AE2F28-F579-43D9-9938-4505B3840A55} - (no file)
O2 - BHO: (no name) - {6A3995D8-0E7C-445D-9F03-2104752614C8} - (no file)
O2 - BHO: (no name) - {6C78A124-AD16-4DE9-8D72-CEF30903B883} - (no file)
O2 - BHO: (no name) - {6CB3CB69-A491-4DC6-987E-A3A0A968B18B} - (no file)
O2 - BHO: (no name) - {6E534804-782C-4613-9085-2EE3A885AF2C} - (no file)
O2 - BHO: (no name) - {7234F4D3-FABF-4DAB-ACF6-2E44AD51F22E} - (no file)
O2 - BHO: (no name) - {72924C96-0059-43A6-B3F6-A5546707A2E3} - (no file)
O2 - BHO: (no name) - {77D5C4D1-6D0C-4B17-8725-A1CB396C50E0} - (no file)
O2 - BHO: (no name) - {7C227956-D1F1-4D5D-B0D5-2F541A7B1D3C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83930191-B0E7-47FE-8DDC-1C44F02945F9} - (no file)
O2 - BHO: (no name) - {85B406C2-9D6F-495C-A48F-6B01B128EE9D} - (no file)
O2 - BHO: wssclient - {8D99D2A3-317C-4929-8A5D-21140259D93A} - c:\PROGRA~1\wss.dll (file missing)
O2 - BHO: (no name) - {9ACD96C1-754A-4557-8C13-2725253B3536} - (no file)
O2 - BHO: (no name) - {9C9ABD32-87DC-4327-BEAE-E3CCC73F93A5} - (no file)
O2 - BHO: (no name) - {A2C8C327-9822-4537-B8C0-B0590CCCAA10} - (no file)
O2 - BHO: (no name) - {A332DE9A-BC6B-4AF9-9A59-388FAF93E681} - (no file)
O2 - BHO: (no name) - {A47862A2-4AE6-4572-9026-4C41D347D4B4} - (no file)
O2 - BHO: (no name) - {A7853404-E817-4419-9311-B947CCC3098E} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {ADAA7F86-3933-42D2-9E68-04C859A07FAD} - (no file)
O2 - BHO: (no name) - {B1AB473F-3436-49DA-9E87-3410DDADAD94} - (no file)
O2 - BHO: (no name) - {B3811E84-5EE5-4C03-991C-D79A47CCBC81} - (no file)
O2 - BHO: (no name) - {B9357E5D-25D8-4EE7-BC25-EDED800AE258} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {C06646C3-E962-442B-91AA-584F09497A25} - (no file)
O2 - BHO: (no name) - {CB63A18C-8E76-4C6F-9E34-678064B1BC72} - (no file)
O2 - BHO: (no name) - {CCDCA588-8904-4600-8462-22CAC96B4E2C} - (no file)
O2 - BHO: (no name) - {D59AF09B-95EE-4D3D-8A3E-D400450C4874} - (no file)
O2 - BHO: (no name) - {DEE59238-A9FF-43BF-AE59-F26949979E70} - (no file)
O2 - BHO: (no name) - {DF01E5DC-82A6-4944-B696-DA3311787905} - (no file)
O2 - BHO: (no name) - {E56F7F2C-859F-4DF3-AAA9-85C91DA45028} - (no file)
O2 - BHO: (no name) - {ED6DBF7B-D30A-4657-BF4A-673C61D13F78} - (no file)
O2 - BHO: (no name) - {F88AE11E-175F-45D3-A673-FC483680AE41} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O15 - Trusted Zone: http://www.answers.com
O15 - Trusted Zone: www.bollywoodheaven.com
O15 - Trusted Zone: http://www.google.co.uk
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} -
O20 - Winlogon Notify: awvepa - C:\WINDOWS\Fonts\awvepa.dll (file missing)
O20 - Winlogon Notify: winstd32 - winstd32.dll (file missing)

Close ALL windows and browsers except HijackThis and click "Fix checked"


Empty Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 excelserious

excelserious

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 24 May 2008 - 10:52 AM

The computer is working a little faster, and i think thats because this morning i ran msconfig, and unchecked some of the services under start up list. But ye other than that i dont see no major differences. One of the files you asked me to check on HijackThis, i couldnt find it.

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

I went through the list many times but i didnt find this.

So heres my new HijackThis (UN WORD WRAPPED) log:


Logfile of HijackThis v1.99.1
Scan saved at 17:48:09, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Windows Media Player\wmplayer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...c...rch&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {00407B69-3B29-4AC2-98BF-7999AC07467A} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriveDiscoveryMemoryResident] C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton Internet Security Service (NISSERV) - Unknown owner - C:\Program Files\Norton Internet Security\NISSERV.EXE (file missing)
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Unknown owner - C:\Program Files\Norton Internet Security\NISUM.EXE (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe (file missing)
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\SymProxySvc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: System Out (SystemOutService) - Unknown owner - C:\WINDOWS\system32\systemout.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 24 May 2008 - 10:58 AM

I'll assume it was Symantec / Nortons that you stopped.
Lets get rid of it all together.

To completely uninstall Symantec AntiVirus?
Problem: The solution to many problems with Symantec AntiVirus is to completely uninstall Symantec AntiVirus, then re-install. You can use these instructions to completely uninstall Symantec AntiVirus.

Solution: In order to completely uninstall Symantec AntiVirus and all related components you need to follow these instructions.
Note: This procedure will remove all Symantec products, not just Symantec AntiVirus.

1.Click on Start | Settings | Control Panel
2.In the control panel double-click on Add / Remove Programs
3.Look through the list of installed programs for any item that says either "Norton" or "Symantec" or "LiveUpdate". (for example "Symantec AntiVirus Corporate Edition" or "Norton AntiVirus 2000")
4.For each "Norton", "Symantec", or "LiveUpdate" item, select the item and click Add / Remove. Follow the instructions, and click Yes or Yes to all when prompted.
When you are done there should be no items in the list that say "Norton", "Symantec", or "LiveUpdate".
5.Click OK to close the Add / Remove Programs window.
6.Reboot your computer if it hasn't already automatically rebooted.
7.Delete the c:\Program Files\Symantec AntiVirus (or c:\Program Files\Norton) folder.
8.Delete the c:\Program Files\Symantec folder.
9.Delete the c:\Program Files\Common Files\Symantec Shared folder.

Reboot after the above:

Next:

Download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#11 excelserious

excelserious

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 24 May 2008 - 11:06 AM

It wont let me uninstall any of the symantic or norton components. For each one of them it says insert the norton package CD or something, i dont think i know where i put my norton anti virus CD so... is there any other way i could delete this? I remember manually deleting everything by going into program files , and that just killed me system somehow. My brother believes Norton comes installed with the other windows components and if its uninstalled, the system doesnt operate anymore. I dont believe him, but then through experience i kind of do. What should i do now?

#12 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 24 May 2008 - 11:20 AM

Print this out

Click Start > Run and Copy/Paste these commands hitting enter after each one:

sc stop ccEvtMgr Service

sc delete ccEvtMgr Service

sc stop ccPwdSvc Service

sc delete ccPwdSvc Service

sc stop navapsvc Service

sc delete navapsvc Service

sc stop NISSERV Service

sc delete NISSERV Service

sc stop NISUM Service

sc delete NISUM Service

sc stop NProtectService Service

sc delete NProtectService Service

sc stop SNDSrvc Service

sc delete SNDSrvc Service

sc stop SymProxySvc Service

sc delete SymProxySvc Service

sc stop SymWSC Service

sc delete SymWSC Service

sc stop SNDSrvc Service

sc delete SNDSrvc Service

sc stop SystemOutService Service

sc delete SystemOutService Service




Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton Internet Security Service (NISSERV) - Unknown owner - C:\Program Files\Norton Internet Security\NISSERV.EXE (file missing)
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Unknown owner - C:\Program Files\Norton Internet Security\NISUM.EXE (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\SymProxySvc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: System Out (SystemOutService) - Unknown owner - C:\WINDOWS\system32\systemout.exe (file missing)

Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these files if listed:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\systemout.exe

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 excelserious

excelserious

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 24 May 2008 - 11:36 AM

I ran all those commands in the Run dialogue box, then ran HijackThis, but none of the files that you told me to CHECK are listed there. I am posting my HijackThis log so you can see what i mean.



Logfile of HijackThis v1.99.1
Scan saved at 18:33:19, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...c...rch&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {00407B69-3B29-4AC2-98BF-7999AC07467A} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriveDiscoveryMemoryResident] C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 24 May 2008 - 11:38 AM

I ran all those commands in the Run dialogue box, then ran HijackThis, but none of the files that you told me to CHECK are listed there. I am posting my HijackThis log so you can see what i mean.

Cool.
Now do the combofix scan :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#15 excelserious

excelserious

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 24 May 2008 - 12:16 PM

Okay done. Computer behaving just like before. Heres my ComboFix Log:


ComboFix 08-05-21.3 - Game 2008-05-24 18:49:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.157 [GMT 1:00]
Running from: C:\Documents and Settings\Game\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Game\Application Data\inst.exe
C:\Program Files\perfect codec
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wvvyb.ini2
C:\WINDOWS\system32\wvvyb.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_NPF
-------\Service_Iprip
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 15:31 . 2008-05-24 15:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-24 15:31 . 2008-05-24 15:31 <DIR> d-------- C:\Documents and Settings\Game\Application Data\Malwarebytes
2008-05-24 15:31 . 2008-05-24 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-24 15:31 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-24 15:31 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-17 11:43 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-17 11:43 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-12 22:30 . 2008-05-12 22:30 <DIR> d-------- C:\Program Files\DVDFab 5
2008-05-11 13:37 . 2008-05-11 13:37 <DIR> d-------- C:\Program Files\MostFun
2008-05-06 09:54 . 2008-05-06 09:54 <DIR> d-------- C:\Program Files\Photo Combiner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 17:57 917,468 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-24 17:57 69,816,352 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-24 14:22 --------- d--h--r C:\Documents and Settings\Game\Application Data\yahoo!
2008-05-24 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-05-24 11:20 --------- d-----w C:\Documents and Settings\Game\Application Data\AVG7
2008-05-23 21:45 --------- d-----w C:\Program Files\Folder Lock
2008-05-23 11:50 --------- d-----w C:\Documents and Settings\Game\Application Data\Vso
2008-05-19 14:05 --------- d-----w C:\Program Files\ReGetDx
2008-05-18 22:58 4,473,856 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-05-18 14:09 4,469,760 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-05-18 14:09 260,608 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-05-13 14:05 --------- d-----w C:\Documents and Settings\Game\Application Data\Canon
2008-05-12 21:30 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-12 21:30 47,360 ----a-w C:\Documents and Settings\Game\Application Data\pcouffin.sys
2008-05-04 15:04 2,909,184 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-05-01 21:49 --------- d-----w C:\Documents and Settings\Game\Application Data\Shareaza
2008-04-27 19:48 --------- d-----w C:\Program Files\DivX
2008-04-06 14:56 --------- d-----w C:\Program Files\CloneDVD
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 16:28 --------- d-----w C:\Program Files\Java
2008-03-23 01:35 4,425,216 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-18 17:13 81,920 ----a-w C:\Documents and Settings\Game\Application Data\ezpinst.exe
2007-10-28 11:26 49,152 ----a-w C:\Program Files\wssupdt.dll
2007-05-14 12:45 784 ----a-w C:\Documents and Settings\Game\Application Data\mpauth.dat
2007-03-31 08:43 2,274 ----a-w C:\Documents and Settings\Game\Application Data\SAS7_000.DAT
2006-12-07 09:31 4,677,544 ----a-w C:\Program Files\Windows-KB890830-V1.22.exe
2006-12-07 09:29 1,129,984 ----a-w C:\Program Files\Match-Up!-UK.msi
2006-05-21 21:24 39,456 -c--a-w C:\Documents and Settings\Game\Application Data\GDIPFONTCACHEV1.DAT
2004-06-18 10:05 45,056 ----a-w C:\WINDOWS\inf\Slntinst.exe
2003-08-22 10:09 45,056 ----a-w C:\WINDOWS\inf\slntinst_staticW2k.exe
2006-11-22 11:43 604,747 -csha-w C:\WINDOWS\Fonts\apevwa.bak1
2006-11-24 22:35 603,036 -csha-w C:\WINDOWS\Fonts\apevwa.bak2
2006-11-25 20:01 596,376 -csha-w C:\WINDOWS\Fonts\apevwa.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"DriveDiscoveryMemoryResident"="C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe" [2007-01-12 15:16 462848]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [1999-07-17 13:34 381200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="Smtray.exe" [2001-05-31 20:32 224256 C:\WINDOWS\system32\SMTray.exe]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-08-15 11:50 28672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-22 22:23 579072]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 18:15 81920]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 02:55 189952]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-30 20:57 219136]

C:\Documents and Settings\Game\Start Menu\Programs\Startup\
AdsGone.lnk - C:\Program Files\AdsGone\adsgone.exe [2002-07-02 15:16:40 1372160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AdsGone 2006.lnk - C:\Program Files\AdsGone\adsgone.exe [2002-07-02 15:16:40 1372160]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMFUprogramsList"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{6C62211C-0516-2057-1010-01041101002c}"= "C:\Program Files\Common Files\{6C62211C-0516-2057-1010-01041101002c}\Update.exe" mc-110-12-0000272

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
-----c--- 2004-08-04 01:56 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTSETBOOTKEY]
--a------ 2003-04-15 10:48 36864 C:\WINDOWS\system32\BTSetBootKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTUSRBDG]
--a------ 2003-11-05 22:21 53248 C:\WINDOWS\system32\BtUsrBdg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-12-13 08:49 217088 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
--a------ 2002-12-12 13:45 45568 C:\WINDOWS\system32\WFXSNT40.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AdsGone\\adsgone.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\ARES\\Ares.exe"=
"C:\\Program Files\\3D MP3 Sound Recorder\\3DMP3Recorder.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Shareaza Applications\\Shareaza4\\Shareaza.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 SI3112;SiI-3512 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3112.sys [2007-06-06 10:44]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 09:10]
R2 Vcs;Vcs support;C:\WINDOWS\system32\Drivers\Vcs.sys [2003-04-15 18:07]
R3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys [2004-09-28 16:18]
R3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys [2003-03-18 11:31]
R3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2006-07-27 16:37]
R3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys [2005-06-30 12:57]
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys [2005-06-28 19:46]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:56]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys []
S3 RTRSys;RTRSys;C:\Program Files\XSoft\xworking\rsrsys.sys []
S3 scsiprnt;Microsoft SCSI/1394 Generic Printer Class;C:\WINDOWS\system32\DRIVERS\scsiprnt.sys [2001-08-17 14:52]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 13:44]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-09-28 23:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{963e0ca2-ff97-11db-90e5-00146cf19b30}]
\Shell\AutoRun\command - N:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acd72cd0-2b0c-11dc-918e-00146cf19b30}]
\Shell\AutoRun\command - I:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 08:49:38 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-24 18:08:09 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-05-24 18:03:06 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-05-13 02:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 19:05:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?0 ????B???@?$?@?? C?????U?@?????????@?B???A???????A?? ????B???@?????P???$?@?P ????????A~??????????@???????????????????B?????? ????????????????????????????B

scanning hidden files ...


disk error: C:\WINDOWS\system32\drivers\
disk error: C:\DOCUME~1\Game\LOCALS~1\Temp\
disk error: C:\WINDOWS\TEMP\
disk error: C:\WINDOWS\system32\
disk error: C:\WINDOWS\
disk error: C:\WINDOWS\system32\wbem\
disk error: C:\Program Files\Common Files\
disk error: C:\Documents and Settings\Game\Application Data\
disk error: C:\
disk error: C:\WINDOWS\Downloaded Program Files\
disk error: C:\WINDOWS\Fonts\
disk error: C:\Documents and Settings\Game\Local Settings\Application Data\
disk error: C:\Program Files\
disk error: C:\Documents and Settings\Game\Start Menu\Programs\Startup\
disk error: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\COMPAQ\Easy Access Button Support\CPQEADM.exe
C:\Compaq\CPQInet\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BttnServ.exe
.
**************************************************************************
.
Completion time: 2008-05-24 19:13:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 18:12:46

Pre-Run: 3,667,787,776 bytes free
Post-Run: 3,546,034,176 bytes free

260 --- E O F --- 2008-05-18 18:45:16

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users