Thread: Popups, errorsafe.com, WinAntiSpyware2006, drivecleaner2006, etc - log file included
View Single Post
Old 08-10-2007, 04:18 PM   #4 (permalink)
sUBs
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,341
OS: N/A


Re: Popups, errorsafe.com, WinAntiSpyware2006, drivecleaner2006, etc - log file inclu
We're making progress but not out of the woods yet.


---------------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [hotyge] C:\Program Files\Windows NT\hotyge3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O20 - Winlogon Notify: pmkji - C:\WINDOWS\system32\pmkji.dll (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\prohdy.html


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/173189-popups-errorsafe-com-winantispyware2006-drivecleaner2006-etc-log-file-included.html
Collect::
C:\Program Files\Windows NT\hotyge3.exe
C:\WINDOWS\system32\apuuhtya.exe
C:\WINDOWS\system32\ohrchbhm.exe
C:\WINDOWS\system32\is67718.exe
C:\WINDOWS\TTC-5555.exe
C:\WINDOWS\tk68.exe
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\waverevenue.exe
C:\WINDOWS\system32\l3acdb.dll
File::
C:\WINDOWS\system32\skna455101.exe
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\Program Files\MSN Gaming Zone\prohdy.html
C:\WINDOWS\pss\TA_Start.lnkStartup
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hotyge"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkji]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\afbtsukA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eomu]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hotyge]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vcle]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{E1-18-8E-E2-ZN}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file on your Desktop, called Submit [Date Time].zip
Please submit this file

The file must be uploaded before proceeding to the next step.


---------------


Click here perform an online scan >> Online Scanner


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline