Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Newby Bombarded With Spyware Pop-ups Newby Bombarded With Spyware Pop-ups
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 04-24-2007, 11:36 AM   #1 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Newby Bombarded With Spyware Pop-ups
So glad to find a site that looks like it may finally be able to help me.
You have probably seen it all before,
I'm having trouble with popups and trojans. here are some of the popups that have been coming up.
A very bad one is the first; amaena. It brings me to fake antivirus and antispyware download pages.
Mostly a page for WinAntiVirus Pro 2007 and WinAntiSpyware 2006, that say my current antivirus/spyware protection is ineffective and that my system is inefected.

Please help me fix this, I have carried out the 5 required steps and here comes my logs -

PANDA LOG -

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\User\Cookies\user@atdmt[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\User\Cookies\user@cassava[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\User\Cookies\user@errorsafe[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\User\Cookies\user@stats1.reliablestats[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\User\Cookies\user@systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\User\Cookies\user@winantispyware[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\User\Cookies\user@winantivirus[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@www.drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\User\Cookies\user@www.errorsafe[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\User\Cookies\user@www.myaffiliateprogram[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\User\Cookies\user@www.winantiviruspro[1].txt
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\01234567\installdrivecleanerstart[1].exe
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\WINDOWS\system32\dllcache\win32\csrss.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hggdbaw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hgghfeb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ljjigeb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\pmnolll.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\urqrrqo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yayawts.dll *********************************************************
DECKARDS MAIN.TXT LOG -

Deckard's System Scanner v20070423.42
Run by User on 2007-04-24 at 17:16:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-04-24 16:16:44 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as User.exe) ------------------------------------------------

Unable to find log (file not found).

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SRTSP - c:\windows\system32\drivers\srtsp.sys <Verified; Symantec Corporation; AutoProtect; 10.1; 10.1.4.1>
R1 SRTSPX - c:\windows\system32\drivers\srtspx.sys <Verified; Symantec Corporation; AutoProtect; 10.1; 10.1.4.1>
R3 alcan5wn (SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - c:\windows\system32\drivers\alcan5wn.sys <Verified; THOMSON; SpeedTouch USB; 301.0.0.12; 301.0.0.12>
R3 alcaudsl (SpeedTouch ADSL Modem ATM Transport) - c:\windows\system32\drivers\alcaudsl.sys <Verified; THOMSON; SpeedTouch USB; 301.0.0.12; 301.0.0.12>
R3 ALCXSENS (Service for WDM 3D Audio Driver) - c:\windows\system32\drivers\alcxsens.sys <Verified; Sensaura; ; ; 5.10.00.3513>

S2 BCMNTIO - c:\progra~1\checkit\diagno~1\bcmntio.sys (file missing)
S2 MAPMEM - c:\progra~1\checkit\diagno~1\mapmem.sys (file missing)
S3 AmeAtmPc - c:\windows\system32\drivers\ameatmpc.sys (file missing)
S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913; 9.13.15.6; 1.89.108.2>
S3 FXDRV - d:\fxdrv.sys (file missing)
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 SDdriver - c:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation; Norton Speed Disk; 7.00.0.24; 7.00.0.24>
S3 SISNIC (SiS PCI Fast Ethernet Adapter Driver) - c:\windows\system32\drivers\sisnic.sys <Verified; SiS Corporation; NDIS 5.1 NIC Driver; 1.16.00.05; 1.16.00.05 built by: WinDDK>
S3 SRTSPL - c:\windows\system32\drivers\srtspl.sys <Verified; Symantec Corporation; AutoProtect; 10.1; 10.1.4.1>
S3 zlportio (ZLPORTIO - Allow user access to I/O ports) - c:\windows\system32\zlportio.sys <Not Verified; SpecoSoft; SpecoSoft zlportio; 1, 0, 0, 1; 1, 0, 0, 1>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 LiveUpdate Notice Ex (LiveUpdate Notice Service Ex) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon <Verified; Symantec Corporation; Symantec Security Technologies; 106.1.2.2; 106.1.2.2>
R2 Speed Disk service - c:\progra~1\norton~1\norton~1\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk; 7.00.0.24; 7.00.0.24>

S2 FirebirdGuardianDefaultInstance (Firebird Guardian - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s (file missing)
S2 LiveUpdate Notice Service - "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifeng.dll" <Verified; Symantec Corporation; LiveUpdate Notice; 1.2; 1.2.0.18>
S3 FirebirdServerDefaultInstance (Firebird Server - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-04-20 20:01:14 528 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - User.job
2007-04-16 12:08:51 290 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job


-- Files created between 2007-03-24 and 2007-04-24 -----------------------------

2007-04-24 17:03:58 0 d-------- C:\ie-spyad
2007-04-24 17:01:37 536811 --a------ C:\ie-spyad.exe
2007-04-24 16:54:10 0 d-------- C:\Program Files\SpywareGuard
2007-04-24 16:44:33 0 d-------- C:\Program Files\SpywareBlaster
2007-04-24 09:05:12 764570 ---hs---- C:\WINDOWS\system32\bccdd.ini2
2007-04-24 08:58:17 131604 --a------ C:\WINDOWS\system32\xalcibup.dll
2007-04-23 18:04:41 0 d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 17:52:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-04-22 15:39:22 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft
2007-04-22 15:38:46 0 d-------- C:\Program Files\Lavasoft
2007-04-20 19:38:14 758028 ---hs---- C:\WINDOWS\system32\bccdd.bak2
2007-04-19 21:18:13 0 d-------- C:\Documents and Settings\User\Application Data\Microgaming
2007-04-19 21:18:00 0 d-------- C:\WINDOWS\system32\FlashAX
2007-04-19 19:38:03 773477 ---hs---- C:\WINDOWS\system32\bccdd.bak1
2007-04-19 19:36:34 281172 ---hs---- C:\WINDOWS\system32\ddccb.dll
2007-04-19 14:52:44 0 d-------- C:\VundoFix Backups
2007-04-19 13:23:43 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys <Not Verified; GRISOFT, s.r.o.; AVG7 Clean Driver; 1.0.0.14; 1.0.0.14>
2007-04-18 17:15:55 0 d-------- C:\kav
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-04-18 14:26:22 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-04-18 14:26:22 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-04-18 11:18:08 0 d-------- C:\Program Files\Enigma Software Group
2007-04-17 17:24:35 0 d-------- C:\WINDOWS\Prefetch
2007-04-16 14:24:22 0 d-------- C:\Program Files\Motorola Phone Tools
2007-04-16 14:14:14 26694 --a------ C:\WINDOWS\system32\hggdbaw.dll
2007-04-16 14:14:03 26694 --a------ C:\WINDOWS\system32\pmnolll.dll
2007-04-16 13:24:12 26694 --a------ C:\WINDOWS\system32\ljjigeb.dll
2007-04-16 13:24:00 26694 --a------ C:\WINDOWS\system32\yayawts.dll
2007-04-16 13:14:20 26694 --a------ C:\WINDOWS\system32\urqrrqo.dll
2007-04-16 13:14:20 26694 --a------ C:\WINDOWS\system32\hgghfeb.dll
2007-04-15 15:00:31 7864320 --a------ C:\Documents and Settings\User\ntuser.dat
2007-04-12 21:48:17 0 d-------- C:\WINDOWS\pss
2007-04-12 21:35:27 280676 ---hs---- C:\WINDOWS\system32\pmkhf.dll
2007-04-11 15:41:35 0 d-------- C:\Program Files\PartyGaming
2007-04-10 17:50:54 0 d-------- C:\Program Files\Poker Indicator
2007-04-10 13:17:42 0 d-------- C:\Program Files\pokerkant
2007-04-07 19:27:32 0 d-------- C:\Program Files\Poker Pal Pro Edition
2007-04-06 19:29:42 0 d-------- C:\Program Files\Poker-Spy
2007-04-03 16:24:35 0 d-------- C:\Program Files\EmpirePokerMaster
2007-04-03 09:47:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-04-02 22:57:20 0 d-------- C:\Program Files\Magic Holdem
2007-04-02 19:32:29 0 d-------- C:\Program Files\Norton AntiVirus
2007-04-02 19:28:36 0 d-------- C:\Program Files\Norton SystemWorks
2007-04-02 14:46:19 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2007-03-28 22:57:59 0 d-------- C:\WINDOWS\system32\URTTemp
2007-03-25 1643 0 d-------- C:\WINDOWS\A5W_DATA


-- Find3M Report ---------------------------------------------------------------

2007-04-24 16:09:26 0 d-------- C:\Program Files\Messenger
2007-04-24 1634 0 d-------- C:\Program Files\iTunes
2007-04-24 16:05:55 0 d-------- C:\Program Files\Google
2007-04-24 16:05:02 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-23 18:44:56 0 d-------- C:\Program Files\PacificPoker
2007-04-22 15:37:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-21 14:55:07 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2007-04-20 00:44:14 0 d-------- C:\Program Files\MSN Messenger
2007-04-19 14:40:04 0 d-------- C:\Program Files\Calorie-Count.com Toolbar
2007-04-16 14:24:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-07 19:24:17 0 d-------- C:\Program Files\CyberLink
2007-04-03 11:23:05 0 d-------- C:\Program Files\Common Files\{1CFBFD37-07D0-2057-0722-04070903002c}
2007-04-02 22:49:18 0 d-------- C:\Program Files\Google Toolbar
2007-04-02 22:13:22 0 d-------- C:\Program Files\Symantec
2007-04-02 22:13:13 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL <Verified; Symantec Corporation; SYMEVENT; 12.3.0.15; 12.3.0.15>
2007-04-02 18:15:10 0 d-------- C:\Documents and Settings\User\Application Data\Symantec
2007-03-21 09:51:22 0 d-------- C:\Program Files\Java
2007-03-15 15:34:57 0 d-------- C:\Program Files\Thomson
2007-03-15 12:23:16 497496 --a------ C:\WINDOWS\system32\XceedZip.dll <Verified; Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com; Xceed Zip Compression Library; 6.0.6621.0; 6.0.6621.0>
2007-03-15 12:19:58 526184 --a------ C:\WINDOWS\system32\XceedCry.dll <Verified; Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com; Xceed Encryption Library; 1.1.6461.0; 1.1.6461.0>
2007-03-12 17:30:45 0 d-------- C:\Program Files\Motorola Phone Tools(2)
2007-03-12 17:30:37 0 d-------- C:\Program Files\LiveUpdate
2007-03-12 17:30:14 0 d-------- C:\Program Files\Motorola Phone Tools(2)(2)
2007-03-12 17:28:46 0 d-------- C:\Program Files\Motorola Phone Tools(3)
2007-03-05 13:34:28 676224 --a------ C:\WINDOWS\system32\OGACheckControl.DLL
2007-03-04 16:43:12 0 d-------- C:\Program Files\Common Files\{3CFBFD37-07D0-2057-0722-04070903002c}
2007-03-03 17:18:03 0 d-------- C:\Documents and Settings\User\Application Data\Ahead
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\USA Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Titan Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Prestige Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Poker.com
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Noble Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\CDPoker
2007-02-27 10:55:04 0 d-------- C:\Program Files\Yadu Digital
2007-02-09 18:22:24 8022 ---hs---- C:\WINDOWS\system32\uttss.ini2


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{7E7CF20E-AAC3-4698-91F3-4CE05D055AAd} C:\WINDOWS\system32\xalcibup.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll
{BC5D816C-7FA8-4815-9B0B-0D6F73D5EFF2} C:\WINDOWS\system32\ddccb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"PrintDrive"="rundll32.exe \"C:\\WINDOWS\\system32\\bxoxpoce.dll\",setvm"
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"AAW"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe\" \"+b1\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9796007A-181E-4C97-99EB-7F71B8989A7B}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccb
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghffc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttu

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-24 at 17:40:23 ----

**********************************************************

DECKARDS EXTRA.TEXT LOG -

Deckard's System Scanner v20070423.42
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) XP 2400+
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 255.48 MiB / 72.96 MiB
Pagefile Memory (total/avail): 618.75 MiB / 331.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.1 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.1 GiB total, 4.4 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton AntiVirus v2007 (Symantec Corporation)
AV: Norton AntiVirus v2007 (Symantec Corporation)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-NDO1LQJK5G
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\USER-NDO1LQJK5G
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=USER-NDO1LQJK5G
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

User (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update --> MsiExec.exe /I{5B433733-BB31-4B40-BCBA-DDED37626641}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Avanquest update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9 -removeonly
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AxCrypt (Remove Only) --> "C:\Program Files\Axon Data\AxCrypt\AxCryptU.exe"
Calorie-Count.com Toolbar --> regsvr32 /u /s "C:\Program Files\Calorie-Count.com Toolbar\toolbar.dll"
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Connection Keep Alive --> MsiExec.exe /I{77364F85-6219-4CB8-AAA0-6D53368D683D}
Driver Wizard by 62NDS Solutions --> uninst62.exe "C:\Program Files\Driver Wizard\INSTALL.LOG"
EmpirePoker --> "C:\Program Files\EmpirePokerMaster\EmpirePoker\Uninstall.exe" "C:\Program Files\EmpirePokerMaster\EmpirePoker\install.log"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 1.99.1 --> C:\HJT\HijackThis.exe /uninstall
Hoyle Friday Night Poker --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A17FD8C6-1AC2-46E7-AD0A-70C602C3504D}\setup.exe" -l0x9 -removeonly
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iTunes --> MsiExec.exe /I{5878FF02-3B8F-4309-B4E5-0D3DB6F2E8E6}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Lavasoft VX2 Cleaner --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\INSTALL.LOG
LimeWire PRO 4.9.14 --> "C:\LimeWire\uninstall.exe"
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Office 2000 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MSRedist --> MsiExec.exe /I{D1725BDB-BA2B-4503-A8CB-F5C835D743FA}
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Nero Media Player --> C:\WINDOWS\UNNMP.exe /UNINSTALL
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_0_5_89\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Cleanup --> MsiExec.exe /I{CA31120D-2101-484D-9FF1-195DE96FE346}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Norton SystemWorks --> MsiExec.exe /I{71E7B3F5-CFAF-4C1E-B494-528E28707937}
Norton SystemWorks --> MsiExec.exe /I{9E23C48E-5483-4971-BA50-089F2FABCD66}
Norton SystemWorks (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{71E7B3F5-CFAF-4C1E-B494-528E28707937}\{71E7B3F5-CFAF-4C1E-B494-528E28707937}.exe" /X
Norton Utilities --> MsiExec.exe /I{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
Pacific Poker --> C:\PROGRA~1\PACIFI~1\UNWISE.EXE C:\PROGRA~1\PACIFI~1\INSTALL.LOG
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PartyPoker --> "C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
QuickTime --> MsiExec.exe /I{55BF0E5F-EA8E-4C13-A8B4-9E4857F5A2DE}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SpeedTouch USB Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\Setup.exe" /l0009 -Control_Panel
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Symantec Technical Support Web Controls --> MsiExec.exe /X{5FCDE341-328B-434B-9F21-AF5BADB57852}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- End of Deckard's System Scanner: finished at 2007-04-24 at 17:40:23 ----

**********************************************************

Please help - other than throw computer out of the window, what do I do next ???
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-28-2007, 03:34 AM   #2 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Does No-one Want To Help Me ??
Bump
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-28-2007, 06:43 AM   #3 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,093
OS: XP Pro, Vista, Ubuntu 8.10


Re: Newby Bombarded With Spyware Pop-ups
Hello and Welcome. Apologies for any delay in replying, but we have been rather busy lately.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-28-2007, 06:49 AM   #4 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Thanks for the reply - utmost faith in you,

Waiting in anticipation.

J.T.
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-28-2007, 04:51 PM   #5 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,093
OS: XP Pro, Vista, Ubuntu 8.10


Re: Newby Bombarded With Spyware Pop-ups
Hello again

P2P - I see you have P2P software <Limewire> installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

=======================================================

Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.
  • Right click the running icon of Spywareguard located in the system tray
  • Go to Menu > File > Exit and confirm the programs close.

=======================================================

Downloads

Download combofix from here.

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==================================================

Run Hijackthis and post that log here.

==================================================

Please provide the following logs with your next post:

C:\ComboFix.txt
Hijackthis log

Also include an update on how your system is running
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-29-2007, 04:00 AM   #6 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Thanks Clark - here are the logs -

Computer does seem to be running a little bit quicker,
Still freezes an awful lot more than usual and still get the odd anti spyware pop up.

One thing, when I did the HJT Scan I did not delete anything from the log it produced, should I have ??



COMBOFIX LOG is like this ..................

"User" - 07-04-29 3:25:16 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\User\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hggdbaw.dll
C:\WINDOWS\system32\hgghfeb.dll
C:\WINDOWS\system32\ljjigeb.dll
C:\WINDOWS\system32\pmnolll.dll
C:\WINDOWS\system32\urqrrqo.dll
C:\WINDOWS\system32\yayawts.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{1CFBF~1
C:\Program Files\Common Files\{3CFBF~1


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 ))))))))))))))))))))))))))))))))))


2007-04-27 22:52 784,821 --ahs---- C:\WINDOWS\system32\bccdd.ini2
2007-04-26 11:43 132,660 --a------ C:\WINDOWS\system32\swkjhpnb.dll
2007-04-24 17:16 <DIR> d-------- C:\Deckard
2007-04-24 17:03 <DIR> d-------- C:\ie-spyad
2007-04-24 17:01 536,811 --a------ C:\ie-spyad.exe
2007-04-24 16:54 <DIR> d-------- C:\Program Files\SpywareGuard
2007-04-24 16:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-04-23 18:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 17:52 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-22 15:39 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Lavasoft
2007-04-22 15:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-20 19:38 787,089 --ahs---- C:\WINDOWS\system32\bccdd.bak2
2007-04-19 21:18 <DIR> d-------- C:\WINDOWS\system32\FlashAX
2007-04-19 21:18 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Microgaming
2007-04-19 19:38 786,677 --ahs---- C:\WINDOWS\system32\bccdd.bak1
2007-04-19 14:52 <DIR> d-------- C:\VundoFix Backups
2007-04-19 13:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-18 17:15 <DIR> d-------- C:\kav
2007-04-18 14:26 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-18 11:18 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-17 17:24 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-17 12:25 9,728 --a------ C:\WINDOWS\system32\rwnh.dll
2007-04-17 12:25 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll
2007-04-16 14:24 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2007-04-15 15:00 8,126,464 --a------ C:\DOCUME~1\User\ntuser.dat
2007-04-12 21:48 <DIR> d-------- C:\WINDOWS\pss
2007-04-11 15:41 <DIR> d-------- C:\Program Files\PartyGaming
2007-04-10 17:50 <DIR> d-------- C:\Program Files\Poker Indicator
2007-04-10 13:17 <DIR> d-------- C:\Program Files\pokerkant
2007-04-07 19:27 <DIR> d-------- C:\Program Files\Poker Pal Pro Edition
2007-04-06 19:29 <DIR> d-------- C:\Program Files\Poker-Spy
2007-04-03 16:24 <DIR> d-------- C:\Program Files\EmpirePokerMaster
2007-04-03 09:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-04-02 22:57 <DIR> d-------- C:\Program Files\Magic Holdem
2007-04-02 19:32 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-04-02 19:28 <DIR> d-------- C:\Program Files\Norton SystemWorks
2007-04-02 14:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Symantec Temporary Files
2007-03-28 22:57 <DIR> d-------- C:\WINDOWS\system32\URTTemp


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 14:50 -------- d-------- C:\Program Files\pacificpoker
2007-04-28 14:49 -------- d-------- C:\DOCUME~1\User\APPLIC~1\utorrent
2007-04-24 16:09 -------- d-------- C:\Program Files\messenger
2007-04-24 16:06 -------- d-------- C:\Program Files\itunes
2007-04-24 16:05 -------- d-------- C:\Program Files\google
2007-04-22 15:37 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-20 00:44 -------- d-------- C:\Program Files\msn messenger
2007-04-16 14:24 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-04-16 14:24 -------- d--h----- C:\Program Files\installshield installation information
2007-04-07 19:24 -------- d-------- C:\Program Files\cyberlink
2007-04-02 22:49 -------- d-------- C:\Program Files\google toolbar
2007-04-02 22:13 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-04-02 22:13 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-04-02 22:13 -------- d-------- C:\Program Files\symantec
2007-04-02 18:15 -------- d-------- C:\DOCUME~1\User\APPLIC~1\symantec
2007-03-19 11:55 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 15:34 -------- d-------- C:\Program Files\thomson
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-12 17:30 -------- d-------- C:\Program Files\motorola phone tools(2)(2)
2007-03-12 17:30 -------- d-------- C:\Program Files\motorola phone tools(2)
2007-03-12 17:30 -------- d-------- C:\Program Files\liveupdate
2007-03-12 17:28 -------- d-------- C:\Program Files\motorola phone tools(3)
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-05 13:34 676224 --a------ C:\WINDOWS\system32\ogacheckcontrol.dll
2007-02-27 11:00 0 --a------ C:\WINDOWS\poker.com
2007-02-09 18:22 8022 --ahs---- C:\WINDOWS\system32\uttss.ini2
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{6C679AA8-2AA7-46A9-BEA7-52E8F46CF21C} C:\WINDOWS\system32\ddccb.dll [x]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\uipnaitx.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\swkjhpnb.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccb
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghffc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttu

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - User.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-29 03:28:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-29 3:28:53
C:\ComboFix-quarantined-files.txt ... 07-04-29 03:28

HJT LOG is now like this -------

Logfile of HijackThis v1.99.1
Scan saved at 10:57:01, on 29/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23E381E5-8478-41AF-A278-F6C212F45F9C} - (no file)
O2 - BHO: (no name) - {308385CC-A3C9-4840-876A-A09D8361E824} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {6C679AA8-2AA7-46A9-BEA7-52E8F46CF21C} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E7CF20E-AAC3-4698-91F3-4CE05D055AAd} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\uipnaitx.dll (file missing)
O2 - BHO: XBTP00788 - {F4674901-44F3-436d-A4E6-B1849CFFA72E} - (no file)
O2 - BHO: (no name) - {F6F8094A-7159-400E-9BA3-0BA01D206126} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\swkjhpnb.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra 'Tools' menuitem: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1151879318531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151879295750
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.222.134 62.24.222.135
O17 - HKLM\System\CS2\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.222.134 62.24.222.135
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll (file missing)
O20 - Winlogon Notify: hgghffc - hgghffc.dll (file missing)
O20 - Winlogon Notify: ssttu - C:\WINDOWS\System32\ssttu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--------------------------------------------------------------------------

Waiting further but thanks for so far.

J.T.
Last edited by JOHNNYMACK : 04-29-2007 at 04:07 AM.
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-30-2007, 07:39 AM   #7 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,093
OS: XP Pro, Vista, Ubuntu 8.10


Re: Newby Bombarded With Spyware Pop-ups
Apologizes for the delay in replying. I was unexpectedly occupied all day yesterday.


Quote:
One thing, when I did the HJT Scan I did not delete anything from the log it produced, should I have ??
No, at that point I simply wanted to see the log.

======================================================

Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.
  • Right click the running icon of Spywareguard located in the system tray
  • Go to Menu > File > Exit and confirm the programs close.

======================================================

Before fixing anything, Please download the Suspicious File Packer --> http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\system32\swkjhpnb.dll

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site --> http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

=======================================================

I see you already have AVG Antispyware. You will need to update AVG Anti-Spyware to the latest definition files.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

========================================================

Click > Start > Control Panel > Add / Remove Programs and uninstall the following program (if it exists):

J2SE Runtime Environment 5.0 Update 3

=====================================================

Reboot

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

=====================================================

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: (no name) - {23E381E5-8478-41AF-A278-F6C212F45F9C} - (no file)
O2 - BHO: (no name) - {308385CC-A3C9-4840-876A-A09D8361E824} - (no file)
O2 - BHO: (no name) - {6C679AA8-2AA7-46A9-BEA7-52E8F46CF21C} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: (no name) - {7E7CF20E-AAC3-4698-91F3-4CE05D055AAd} - (no file)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\uipnaitx.dll (file missing)
O2 - BHO: XBTP00788 - {F4674901-44F3-436d-A4E6-B1849CFFA72E} - (no file)
O2 - BHO: (no name) - {F6F8094A-7159-400E-9BA3-0BA01D206126} - (no file)
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\swkjhpnb.dll",realset
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll (file missing)
O20 - Winlogon Notify: hgghffc - hgghffc.dll (file missing)
O20 - Winlogon Notify: ssttu - C:\WINDOWS\System32\ssttu.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

=======================================================

Delete the following Files indicated in RED if they still exist.

C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\bccdd.bak2
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\uttss.ini2
C:\WINDOWS\system32\ swkjhpnb.dll

=======================================================

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program and reboot back into safe mode when prompted.

=======================================================

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware

======================================================

Reboot

Reboot your system in Normal Mode.

======================================================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next repl