Snap.Do problem

[Simon Sudbury]

Use XP with SP3 and system hijacked by Snap.Do. I've uninstalled from add/remove and tried the procedure where you stop various processes in task manager prior to deleting various reg keys. Thing is that as soon as you stop the suggested processes you get the PC is shutting down blah blah. In addition I can't find the reg keys in the locations suggested.

Have been advised to run and then post the following scan results.

Hope this helps in getting rid of Snap.Do

Thanks


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Tony Jermyn at 18:41:59 on 2012-09-15
.
============== Running Processes ===============
.
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\stsystra.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\PC Tools\PC Tools Security\pctsGui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\uTorrent\uTorrent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
E:\Documents and Settings\All Users\Application Data\IBUpdaterService\ibsvc.exe
E:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
E:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Tony Jermyn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Tony Jermyn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Tony Jermyn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Tony Jermyn\My Documents\Downloads\dds (1).scr
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uLocal Page = k:\windows\system32\blank.htm
uStart Page = hxxp://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=46936df2-99ee-4c19-a66e-43a18791e8c9&searchtype=hp
uSearch Page = hxxp://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=46936df2-99ee-4c19-a66e-43a18791e8c9&searchtype=ds&q={searchTerms}
uSearch Bar = hxxp://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=46936df2-99ee-4c19-a66e-43a18791e8c9&searchtype=ds&q={searchTerms}
uSearchAssistant = hxxp://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=46936df2-99ee-4c19-a66e-43a18791e8c9&searchtype=ds&q={searchTerms}
mURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - k:\program files\pc tools security\bdt\PCTBrowserDefender.dll
mWinlogon: Userinit=e:\windows\system32\userinit.exe,k:\windows\system32\userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - k:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - k:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - k:\program files\askbardis\bar\bin\askBar.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - k:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - e:\program files\babylontoolbar\babylontoolbar\1.5.3.17\bh\BabylonToolbar.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - k:\program files\utorrentbar\prxtbuTo2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - k:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - k:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - Hotspot Shield Class
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - k:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - k:\program files\askbardis\bar\bin\askBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - k:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - k:\program files\utorrentbar\prxtbuTo2.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - k:\program files\pc tools security\bdt\PCTBrowserDefender.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - e:\program files\babylontoolbar\babylontoolbar\1.5.3.17\BabylonToolbarTlbr.dll
{ae07101b-46d4-4a98-af68-0333ea26e113}
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "e:\program files\messenger\msmsgs.exe" /background
uRun: [MediaFire Tray] "e:\documents and settings\tony jermyn\application data\mediafire express\mf_systray.exe" --boot-start
uRun: [uTorrent] "e:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [Google Update] "e:\documents and settings\tony jermyn\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "e:\program files\pc tools\pc tools security\pctsGui.exe" /hideGUI
mRun: [APSDaemon] "e:\program files\common files\apple\apple application support\APSDaemon.exe"
dRun: [CTFMON.EXE] e:\windows\system32\CTFMON.EXE
uPolicies-explorer: NoInstrumentation = 1
IE: Search the Web - e:\program files\sweetim\toolbars\internet explorer\resources\menuext.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
LSP: e:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B629A411-7D81-44AB-85AF-8D683672859B} : DhcpNameServer = 192.168.1.254
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - k:\windows\system32\rundll32.exe k:\windows\system32\mscories.dll,Install
.
============= SERVICES / DRIVERS ===============
.
R? Browser Defender Update Service;Browser Defender Update Service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? cpuz132;cpuz132
R? Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service
R? libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1
R? pctgntdi;pctgntdi
R? PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service
R? pctplsg;pctplsg
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? cpuz135;cpuz135
S? IBUpdaterService;Updater Service
S? PCTCore;PCTools KDS
S? pctDS;PC Tools Data Store
S? pctEFA;PC Tools Extended File Attributes
S? PCTSD;PC Tools Spyware Doctor Driver
S? sdAuxService;PC Tools Auxiliary Service
S? sdCoreService;PC Tools Security Service
S? SI3112r;Silicon Image SiI 3512 SATARaid Controller
S? TfFsMon;TfFsMon
S? TfNetMon;TfNetMon
S? TfSysMon;TfSysMon
S? ThreatFire;ThreatFire
.
=============== Created Last 30 ================
.
2012-09-12 17:41:08 -------- d-----w- e:\program files\Unlocker
.
==================== Find3M ====================
.
2012-07-06 13:58:51 78336 ----a-w- e:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 ----a-w- e:\windows\system32\drivers\rdpwd.sys
2012-07-03 15:07:44 832512 ----a-w- e:\windows\system32\wininet.dll
2012-07-03 15:07:43 1830912 ------w- e:\windows\system32\inetcpl.cpl
2012-07-03 15:07:42 78336 ----a-w- e:\windows\system32\ieencode.dll
2012-07-03 15:07:42 17408 ----a-w- e:\windows\system32\corpol.dll
2012-07-03 13:40:15 1866112 ----a-w- e:\windows\system32\win32k.sys
.
============= FINISH: 18:46:36.01 ===============

[chemist]

Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
• With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
• It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:

• Please click Yes to continue scanning for malware.
• Your desktop may go blank. This is normal. It will return when ComboFix is done.
• ComboFix may reboot your machine. This is normal. For some infections, it may do this multiple times.
• When the tool is finished, it will produce a log for you.

Please post that log, E:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

[Simon Sudbury]

Many thanks for thsi detailed reply but I think I've managed to remove it entirely now.

Thanks again.

[chemist]

Thanks for letting us know.