|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
01-08-2008, 11:18 AM
|
#1 (permalink) |
|
Registered User
|
Re: Can't remove "Securepccleaner"
Hi,
I have this malware that has attacked my PC that I have tried just about everything to remove with no luck. It constantly causes popups that ask to buy malware remoers and takes over my desktop background with a red screen with "Privacy Danger" at the bottom. I've ran several softwares including AdAware, SpyBot, SuperAntiSpyware, CCleaner, ATF, RogueRemover, SmitFraudFix, HiJackThis, Norton AV. I don't know where to begin again now. For starters I am posting a new HJT file. Thanks for your help. Bert Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:15:10 PM, on 1/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Exif Launcher\QuickDCF.exe C:\Palm\HOTSYNC.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\WISPTIS.EXE C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\Program Files\BearShare Applications\BearShare\BearShare.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user') O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/playerBase/kSoloIEHDSD.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.9 85.255.112.76 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.9 85.255.112.76 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: alxvdvm - {48CCD9C4-F0B0-4B92-9E6D-75965794AE94} - C:\WINDOWS\alxvdvm.dll O21 - SSODL: bvtqfvx - {1A5C4883-EB4F-49B7-8EBD-727993B83DC8} - (no file) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 9183 bytes |
|
     |
|
01-14-2008, 02:54 PM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Dùn Èideann,Scotland.
Posts: 3,247
OS: XP
|
Re: Can't remove "Securepccleaner"
Apologises for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems,follow instructions below.
------------------------ Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
========================= Logs Required C:\Deckard\System Scanner\main.txt C:\Deckard\System Scanner\extra.txt<---Attached
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.  Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
01-14-2008, 06:40 PM
|
#3 (permalink) |
|
Registered User
|
Re: Can't remove "Securepccleaner"
Thanks for replying. No need to apologize as I know how hard it is keeping up with the vast amount of members. As of now it appears that the attack has subsided, at least temporarily. One of the cleaners I have may have finally got it. I don't know if it's gone completely so I guess we can put this thread on hold and I'll open it if needed. Thanks again for your help. Bert
 |
|
|
|
|
01-15-2008, 09:48 AM
|
#4 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Dùn Èideann,Scotland.
Posts: 3,247
OS: XP
|
Re: Can't remove "Securepccleaner"
I doubt very much if one of the cleaners removed the infected files, there was a least two infections showing in your hijackthis log. A lack of symptoms does not mean the infection is not present.
I would be in your best interest if you posted the required logs, that way we can be sure no infection is present, in the end its your decision.
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information. Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating Last edited by TheBruce1 : 01-15-2008 at 09:49 AM. |
|
|
|
|
01-15-2008, 10:30 AM
|
#5 (permalink) |
|
Registered User
|
Re: Can't remove "Securepccleaner"
TheBruce1,
Thanks for your reply. I am following yor advice and have downloaded and copied the report from DSS. Also have attached the "extra.txt" file. I'll wait for further instructions. Thanks again, Bert Deckard's System Scanner v20071014.68 Run by User on 2008-01-15 12:11:28 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 61: 2008-01-15 17:11:40 UTC - RP743 - Deckard's System Scanner Restore Point 60: 2008-01-14 22:13:54 UTC - RP742 - System Checkpoint 59: 2008-01-13 21:18:10 UTC - RP741 - System Checkpoint 58: 2008-01-12 19:52:39 UTC - RP740 - System Checkpoint 57: 2008-01-11 17:08:31 UTC - RP739 - System Checkpoint -- First Restore Point -- 1: 2007-12-11 15:59:05 UTC - RP683 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as User.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:13:20 PM, on 1/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Exif Launcher\QuickDCF.exe C:\Palm\HOTSYNC.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\WISPTIS.EXE C:\Program Files\BearShare Applications\BearShare\BearShare.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Documents and Settings\User\Desktop\dss.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user') O4 - S-1-5-18 Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE (User 'Default user') O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/playerBase/kSoloIEHDSD.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.9 85.255.112.76 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.9 85.255.112.76 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: bvtqfvx - {1A5C4883-EB4F-49B7-8EBD-727993B83DC8} - (no file) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 9376 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20071227-185253-295 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 backup-20071227-185253-398 O4 - HKCU\..\Run: [AdwareRemover2007] C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe backup-20071227-185253-608 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 backup-20071227-185253-618 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) backup-20071227-185253-793 O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe backup-20071227-185644-418 O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe backup-20071227-213114-514 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 backup-20071227-213327-272 O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe backup-20071227-213327-492 O4 - HKLM\..\Run: [Malware-Wiped] C:\Program Files\Malware-Wiped\Malware-Wiped.exe /h backup-20071231-120311-596 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe backup-20071231-120311-685 O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab backup-20080105-200629-311 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background backup-20080105-200652-395 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 ATMhelpr - c:\windows\system32\drivers\atmhelpr.sys <Not Verified; Adobe Systems Incorporated; Adobe Type Manager Deluxe> R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)> S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware> S3 WmaCDriverV32 - c:\windows\system32\drivers\wmacdriverv32.sys <Not Verified; Windows (R) 2000/XP; Windows (R) 2000/XP Driver> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S2 InCDsrvR (InCD Helper (read only)) - c:\program files\ahead\incd\incdsrv.exe -r <Not Verified; Nero AG; Nero AG incdsrv> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-01-14 20:11:15 554 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - User.job 2008-01-08 15:36:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2007-12-15 and 2008-01-15 ----------------------------- 2008-01-12 13:16:06 0 d-------- C:\2AudreyLn 2008-01-10 17:00:10 0 d-------- C:\WINDOWS\LastGood 2008-01-09 12:10:40 0 d-------- C:\WINDOWS\system32\LogFiles 2008-01-06 10:50:50 0 dr-h----- C:\Documents and Settings\User\Recent 2008-01-04 15:42:47 0 d-------- C:\27WoodbineAve 2008-01-04 09:42:19 0 d-------- C:\Program Files\CCleaner 2008-01-04 09:38:32 0 d-------- C:\Program Files\RogueRemover FREE 2008-01-02 10:09:37 0 d-------- C:\Program Files\SUPERAntiSpyware 2008-01-02 10:09:37 0 d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com 2008-01-01 18:12:41 0 d-------- C:\7427RhoadsSt 2008-01-01 18:08:16 0 d-------- C:\NewYears08 2007-12-31 19:44:18 0 d-------- C:\BobChristmas 2007-12-31 18:01:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-31 17:58:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-12-29 19:02:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-29 15:28:23 0 d-------- C:\Program Files\Norton AntiVirus 2007-12-27 21  20 0 d-------- C:\1022OldFordRd2007-12-26 16:11:23 0 d-------- C:\Christmas07 2007-12-26 14:14:09 90112 --a------ C:\WINDOWS\fvkwdrt.exe 2007-12-22 12:26:45 0 d-------- C:\Program Files\Karaoke Song List Creator 2007-12-22 10:34:07 376 --a------ C:\WINDOWS\Snowflake Screen Saver Captions.dat 2007-12-22 10:34:07 511 --a------ C:\WINDOWS\Snowflake Screen Saver Audio Files.dat 2007-12-19 15:45:31 0 d-------- C:\115StationDr 2007-12-19 15:40:47 0 d-------- C:\103Brentwood 2007-12-18 10:33:25 0 d-------- C:\19HallSt -- Find3M Report --------------------------------------------------------------- 2008-01-15 10:52:06 0 d-------- C:\Documents and Settings\User\Application Data\BearShare 2008-01-15 05:29:49 0 d-------- C:\Program Files\LogMeIn 2008-01-13 16:59:38 0 d-------- C:\Program Files\WinSper Ver. 2 2008-01-13 08:51:05 0 d-------- C:\Documents and Settings\User\Application Data\AdobeUM 2008-01-06 11:52:38 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-01-06 10:45:41 3524 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-02 09:59:15 0 d-------- C:\Program Files\Google 2008-01-01 19:39:52 0 d-------- C:\Documents and Settings\User\Application Data\Move Networks 2008-01-01 14:10:20 0 d-------- C:\Program Files\Symantec 2007-12-31 20:04:33 0 d-------- C:\Program Files\QuickTime 2007-12-31 18:02:11 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft 2007-12-31 18:01:42 0 d-------- C:\Program Files\Trellian 2007-12-31 17:56:33 0 d-------- C:\Program Files\Lavasoft 2007-12-29 19:01:45 0 d-------- C:\Program Files\Common Files 2007-12-27 16:04:27 0 d-------- C:\Program Files\LimeWire 2007-12-27 15:52:08 0 d-------- C:\Program Files\Yahoo! 2007-12-24 08:58:24 0 d-------- C:\Documents and Settings\User\Application Data\Adobe 2007-12-22 10:33:36 307200 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows> 2007-12-22 10:33:34 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows> 2007-12-12 00:07:49 0 d-------- C:\Program Files\CD Recovery Toolbox Free 2007-12-11 20:30:38 0 d-------- C:\Program Files\Trend Micro 2007-12-11 20:26:42 0 d-------- C:\Program Files\Java 2007-12-11 20:25:33 0 d-------- C:\Program Files\Common Files\Java 2007-12-11 18:34:41 0 d-------- C:\Program Files\NCH Swift Sound 2007-12-11 18:34:41 0 d-------- C:\Documents and Settings\User\Application Data\NCH Swift Sound 2007-12-11 18:31:38 0 d-------- C:\Program Files\Real 2007-11-09 16:27:42 4 --a------ C:\WINDOWS\system32\184DA5 -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] 12/29/2007 03:30 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [07/20/2004 09:34 AM] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/10/2006 09:57 AM] "SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [05/25/2004 09:16 AM] "IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [09/10/2001 07:44 AM] "PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [09/10/2001 07:19 AM] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [10/22/2001 11:05 AM] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 10:12 PM] "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [04/17/2007 01:03 PM] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM] "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [01/27/2005 12:17 PM] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/25/2007 12:07 AM] "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [08/24/2007 11:53 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM] "PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" [02/25/2005 07:28 PM] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe C:\Documents and Settings\User\Start Menu\Programs\Startup\ HotSync Manager.LNK - C:\Palm\HOTSYNC.EXE [3/18/2006 7:44:21 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 1:19:50 AM] Exif Launcher.lnk - C:\Program Files\Exif Launcher\QuickDCF.exe [3/18/2006 7:51:40 AM] HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [3/18/2006 7:44:21 AM] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/11/2005 10:23:26 PM] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [6/14/2006 11:11:40 PM] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2/13/2004 2:12:08 PM] WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [7/11/2006 3:17:29 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"=1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] LMIinit.dll 11/21/2007 12:44 PM 87352 C:\WINDOWS\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 nwprovau [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" -- End of Deckard's System Scanner: finished at 2008-01-15 12:14:23 ------------ |
|
|
|
|
01-15-2008, 11:05 AM
|
#6 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Dùn Èideann,Scotland.
Posts: 3,247
OS: XP
|
Re: Can't remove "Securepccleaner"
Hello again Bert
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ===================== Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean the infection is not present. ==================== Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. ===================== P2P P2P - I see you have P2P software BearShare installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. ====================== Download Combofix from any of the links below, and save it to your desktop. Link 1 Link 2 Link 3 **Note: It is important that it is saved directly to your desktop**Do not run just yet, we will shortly ==================== Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://download.bleepingcomputer.com...Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please. =========================== 1. Disconnect from the internet. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on ComboFix.exe & follow the prompts. When finished, it will produce a report for you at C:\ComboFix.txt. I'll need to see that in your next reply, along with a new HijackThis log. ======================== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ====================== Reconnect to the internet and post the required logs ====================== Logs Required report.txt(from FixWareout) C:\Combofix.txt Hijackths log
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information. Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
01-15-2008, 12:16 PM
|
#7 (permalink) |
|
Registered User
|
Re: Can't remove "Securepccleaner"
TB1,
I subscribed to the thread as suggested. As for the P2P Bearshare, I have a paid subscription with them for music downloads as I am a musician and a main use of my computer. I'll have to scan for viruses etc as I download I suppose to try and prevent infection. I will be out of town tonight and will follow your latest instructions upon my returm tomorrow night. Thanks for your help. Bert |
|
|
|
|
01-17-2008, 07:09 AM
|
#8 (permalink) |
|
Registered User
|
Re: Can't remove "Securepccleaner"
TheBruce1,
Here is the Fixware file and HJT file. I will post the ComboFix file and another HJT file when completed. Thanks, Bert Username "User" - 01/17/2008 8:54:16 [Fixwareout edited 9/01/2007] ~~~~~ Prerun check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters "nameserver"="85.255.114.9 85.255.112.76" <Value cleared. Successfully flushed the DNS Resolver Cache. System was rebooted successfully. ~~~~~ Postrun check HKLM\SOFTWARE\~\Winlogon\ "System"="" .... .... ~~~~~ Misc files. .... ~~~~~ Checking for older varients. .... ~~~~~ Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "SetDefPrt"="C:\\Program Files\\Brother\\Brmfl04a\\BrStDvPt.exe" "IndexSearch"="C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe" "PaperPort PTD"="C:\\Program Files\\Scansoft\\PaperPort\\pptd40nt.exe" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "LogMeIn GUI"="\"C:\\Program Files\\LogMeIn\\x86\\LogMeInSystray.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\"" "InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\"" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Ahead\\NEROPH~2\\data\\Xtras\\mssysmgr.exe" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" .... Hosts file was reset, If you use a custom hosts file please replace it... ~~~~~ End report ~~~~~ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:05:21 AM, on 1/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Exif Launcher\QuickDCF.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Palm\HOTSYNC.EXE C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user') O4 - S-1-5-18 Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE (User 'Default user') O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/playerBase/kSoloIEHDSD.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: bvtqfvx - {1A5C4883-EB4F-49B7-8EBD-727993B83DC8} - (no file) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 8939 bytes |
|
|
|
|
01-17-2008, 07:29 AM
|
#9 (permalink) |
|
Registered User
|
Re: Can't remove "Securepccleaner"
Attached is ComboFix file and new HJT file. Thanks, Bert ComboFix 08-01-09.2 - User 2008-01-17 9:17:10.1 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.353 [GMT -5:00] Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\RECYCLER\desktopA.sys C:\WINDOWS\dat.txt C:\WINDOWS\fvkwdrt.exe C:\WINDOWS\rs.txt C:\WINDOWS\search_res.txt . ((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 ))))))))))))))))))))))))))))))) . 2008-01-17 09:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-15 12:11 . 2008-01-15 12:11 <DIR> d-------- C:\Deckard 2008-01-12 13:16 . 2008-01-12 13:16 <DIR> d-------- C:\2AudreyLn 2008-01-12 12:49 . 2008-01-12 12:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-12 12:49 . 2008-01-12 12:49 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-09 12:10 . 2008-01-09 12:10 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2008-01-09 11:01 . 2008-01-09 11:01 1,355 --a------ C:\WINDOWS\imsins.BAK 2008-01-04 15:42 . 2008-01-04 15:44 <DIR> d-------- C:\27WoodbineAve 2008-01-04 09:42 . 2008-01-04 09:42 <DIR> d-------- C:\Program Files\CCleaner 2008-01-04 09:38 . 2008-01-04 09:38 <DIR> d-------- C:\Program Files\RogueRemover FREE 2008-01-02 10:09 . 2008-01-09 11:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-01-02 10:09 . 2008-01-02 10:09 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com 2008-01-01 18:12 . 2008-01-01 18:12 <DIR> d-------- C:\7427RhoadsSt 2008-01-01 18:08 . 2008-01-01 18:09 <DIR> d-------- C:\NewYears08 2007-12-31 19:44 . 2007-12-31 19:44 <DIR> d-------- C:\BobChristmas 2007-12-31 18:01 . 2008-01-02 10:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-31 17:58 . 2007-12-31 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-12-29 19:02 . 2007-12-29 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-29 15:28 . 2008-01-01 14:21 <DIR> d-------- C:\Program Files\Norton AntiVirus 2007-12-29 15:27 . 2008-01-01 14:10 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-12-29 15:27 . 2008-01-01 14:10 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-12-29 15:27 . 2008-01-01 14:10 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-12-29 15:27 . 2008-01-01 14:10 805 --a------ C:\WINDOWS\system32\drivers\SYMEVEN |
