Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page SurfSideKick
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 03-04-2006, 06:23 PM   #1 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 7
OS: XP


SurfSideKick
Hi, I have a problem with my computer and came across this forum which looks really great. My Computer operating system is Windows XP.

Before i got to this site, I saw another site which had instructions for getting rid of it which I followed but it hasn't worked. I've gone through the "First Steps" so I'm now posting to the fourm. I think Surfsidekick is the problem. None of the programs used to scan and delete seem able to get rid of it and loads of popups appear. I have things like http://www.amaena.com/securityworm2/...&lid=popup_com coming up. Even when the program find something risky and try to delete it, it fails.

Hope I've done this correctly and have enough included the right info. Thanks.

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 01:08:20, on 05/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames9.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130192207765
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...08/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\p4p60e7seh.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
peor is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 03-04-2006, 07:49 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,335
OS: N/A


Please do the following:

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close any programs you have open since this step requires a reboot.
  • From the l2mfix folder, double click l2mfix.bat
  • Select option #2 for Run Fix by typing 2 and then pressing enter ONCE.
Do NOT depress any keys on your keyboard until the tool request you to "press any key to reboot"

On the reboot notepad will open with a log. Copy/paste the contents of that log back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix folder to locate log.txt.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-05-2006, 07:20 AM   #3 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 7
OS: XP


Thanks. This is the contents of the log.

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 456 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 552 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1888 'explorer.exe'
Killing PID 1888 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1088 'rundll32.exe'
Killing PID 980 'rundll32.exe'
Killing PID 2168 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\hr0s05d7e.dll
Successfully Deleted: C:\WINDOWS\system32\hr0s05d7e.dll
Deleting: C:\WINDOWS\system32\jt2607fse.dll
Successfully Deleted: C:\WINDOWS\system32\jt2607fse.dll
Deleting: C:\WINDOWS\system32\suarddlg.dll
Successfully Deleted: C:\WINDOWS\system32\suarddlg.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntlRun]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt2607fse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\hr0s05d7e.dll
C:\WINDOWS\system32\jt2607fse.dll
C:\WINDOWS\system32\suarddlg.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6B2866BE-51CB-4270-B6A0-B027E080BD57}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{6B2866BE-51CB-4270-B6A0-B027E080BD57}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B2866BE-51CB-4270-B6A0-B027E080BD57}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B2866BE-51CB-4270-B6A0-B027E080BD57}\InprocServer32]
@="C:\\WINDOWS\\system32\\cRtsrvut.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}\InprocServer32]
@="C:\\WINDOWS\\system32\\vxrsion.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}\InprocServer32]
@="C:\\WINDOWS\\system32\\wchnetbs.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{329D0982-80F3-44D1-B4F3-E6B5506E97E6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{329D0982-80F3-44D1-B4F3-E6B5506E97E6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{329D0982-80F3-44D1-B4F3-E6B5506E97E6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{329D0982-80F3-44D1-B4F3-E6B5506E97E6}\InprocServer32]
@="C:\\WINDOWS\\system32\\oobctrac.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}\InprocServer32]
@="C:\\WINDOWS\\system32\\nfrsru.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6A8E59D0-805B-494B-B1BE-B1423F37A07C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A8E59D0-805B-494B-B1BE-B1423F37A07C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A8E59D0-805B-494B-B1BE-B1423F37A07C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A8E59D0-805B-494B-B1BE-B1423F37A07C}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{282DA37F-23DB-4589-BB03-B76C52707C6C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{282DA37F-23DB-4589-BB03-B76C52707C6C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{282DA37F-23DB-4589-BB03-B76C52707C6C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{282DA37F-23DB-4589-BB03-B76C52707C6C}\InprocServer32]
@="C:\\WINDOWS\\system32\\suarddlg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CB2599AD-690C-49E4-B441-739EB8E915ED}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB2599AD-690C-49E4-B441-739EB8E915ED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB2599AD-690C-49E4-B441-739EB8E915ED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB2599AD-690C-49E4-B441-739EB8E915ED}\InprocServer32]
@="C:\\WINDOWS\\system32\\MHC42ENU.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B673590E-07AD-4105-ABAA-662396039C80}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B673590E-07AD-4105-ABAA-662396039C80}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B673590E-07AD-4105-ABAA-662396039C80}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B673590E-07AD-4105-ABAA-662396039C80}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6B2866BE-51CB-4270-B6A0-B027E080BD57}"=-
"{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}"=-
"{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}"=-
"{329D0982-80F3-44D1-B4F3-E6B5506E97E6}"=-
"{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}"=-
"{6A8E59D0-805B-494B-B1BE-B1423F37A07C}"=-
"{282DA37F-23DB-4589-BB03-B76C52707C6C}"=-
"{CB2599AD-690C-49E4-B441-739EB8E915ED}"=-
"{B673590E-07AD-4105-ABAA-662396039C80}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6B2866BE-51CB-4270-B6A0-B027E080BD57}]
[-HKEY_CLASSES_ROOT\CLSID\{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}]
[-HKEY_CLASSES_ROOT\CLSID\{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}]
[-HKEY_CLASSES_ROOT\CLSID\{329D0982-80F3-44D1-B4F3-E6B5506E97E6}]
[-HKEY_CLASSES_ROOT\CLSID\{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}]
[-HKEY_CLASSES_ROOT\CLSID\{6A8E59D0-805B-494B-B1BE-B1423F37A07C}]
[-HKEY_CLASSES_ROOT\CLSID\{282DA37F-23DB-4589-BB03-B76C52707C6C}]
[-HKEY_CLASSES_ROOT\CLSID\{CB2599AD-690C-49E4-B441-739EB8E915ED}]
[-HKEY_CLASSES_ROOT\CLSID\{B673590E-07AD-4105-ABAA-662396039C80}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/hr0s05d7e.dll (188 bytes security) (deflated 5%)
adding: dlls/jt2607fse.dll (188 bytes security) (deflated 4%)
adding: dlls/suarddlg.dll (188 bytes security) (deflated 4%)
adding: backregs/282DA37F-23DB-4589-BB03-B76C52707C6C.reg (212 bytes security) (deflated 70%)
adding: backregs/329D0982-80F3-44D1-B4F3-E6B5506E97E6.reg (212 bytes security) (deflated 70%)
adding: backregs/6A8E59D0-805B-494B-B1BE-B1423F37A07C.reg (212 bytes security) (deflated 70%)
adding: backregs/6B2866BE-51CB-4270-B6A0-B027E080BD57.reg (212 bytes security) (deflated 69%)
adding: backregs/6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D.reg (212 bytes security) (deflated 70%)
adding: backregs/9E989F24-A114-4C25-B3EB-18E5F9DA60A0.reg (212 bytes security) (deflated 70%)
adding: backregs/B673590E-07AD-4105-ABAA-662396039C80.reg (212 bytes security) (deflated 70%)
adding: backregs/CB2599AD-690C-49E4-B441-739EB8E915ED.reg (212 bytes security) (deflated 70%)
adding: backregs/E1029A4A-BEFF-43A0-B5D8-AC552CF19E87.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (188 bytes security) (deflated 87%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)


And the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:20:13, on 05/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames9.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130192207765
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...08/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{760CEC75-2FC1-4673-AD49-C5CA9F7333EF}: NameServer = 158.152.1.58 158.152.1.43
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\jt2607fse.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
peor is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-05-2006, 03:06 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,335
OS: N/A


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * *


Something that requires your immediate intervention. I notice that you have more than one anti-virus programs on your machine (AVG & Symantec). That's not a good idea!!

This messes up the machine pretty badly. Alike firewalls, anti-virus programs have conflicts co-existing with each other & may produce undesirable results. Please uninstall ALL leaving only one of them.

ALL the antivirus programs must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:
re-install the program -> reboot -> uninstall
## Do NOT proceed with the rest of the fix until you have resolved the dual antivirus programs ##


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames9.exe
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\jt2607fse.dll (file missing)


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2006, 03:58 PM   #5 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 7
OS: XP


Hi Subs

I followed the steps above. While I was running Ewido there were a few it could not remove because it was embedded in archive and I didn't know if I should delete the whole archive so I clicked no.

Apart from that, there were no other problems. And there doesn't seem to be pop-ups any more! I'm amazed at how you guys do this! Am I clean now? Thanks so much.

Here are the logs.

HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:53:10, on 06/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130192207765
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...08/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Online Scan log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 06, 2006 10:35:54 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 6/03/2006
Kaspersky Anti-Virus database records: 180544
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 52074
Number of viruses found: 10
Number of infected objects: 64
Number of suspicious objects: 0
Duration of the scan process: 00:20:11

Infected Object Name / Virus Name / Last Action
C:\l2mfix\backup.zip/dlls/hr0s05d7e.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\l2mfix\backup.zip/dlls/jt2607fse.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\l2mfix\backup.zip/dlls/suarddlg.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\l2mfix\backup.zip ZIP: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04F032A2.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04F35C9E.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08617D79.exe Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08675172.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08675172.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ak skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0BBB1DDC.exe Infected: Trojan-Downloader.Win32.Adload.s skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0F7B13F8.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2C4E7B30.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B867953.EXE Infected: Trojan-Downloader.Win32.Adload.s skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B8A234F.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B8A234F.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B8A234F.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ak skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B8A234F.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B8A234F.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B8A234F.exe CAB: infected - 5 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B8A234F.exe CryptFF: infected - 5 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4E497B75.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\51837BDC.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.j skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7216592F.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7443599C.exe Infected: Trojan-Downloader.Win32.VB.wy skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74744F66.exe Infected: Trojan-Clicker.Win32.VB.ld skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\76930ACC.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77605E2F.exe Infected: Trojan-Downloader.Win32.VB.wy skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\78480330.exe Infected: Trojan-Clicker.Win32.VB.ld skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7AAB5C67.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\RECYCLER\NPROTECT\00013931.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\RECYCLER\NPROTECT\00013932.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\RECYCLER\NPROTECT\00013933.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\RECYCLER\NPROTECT\00013934.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\RECYCLER\NPROTECT\00013934.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\RECYCLER\NPROTECT\00013934.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\RECYCLER\NPROTECT\00013934.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\RECYCLER\NPROTECT\00013934.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\RECYCLER\NPROTECT\00013934.exe CAB: infected - 5 skipped
C:\RECYCLER\NPROTECT\00014426.zip/dlls/hr0s05d7e.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\NPROTECT\00014426.zip/dlls/jt2607fse.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\NPROTECT\00014426.zip/dlls/suarddlg.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\NPROTECT\00014426.zip ZIP: infected - 3 skipped
C:\RECYCLER\NPROTECT\00014428.zip/dlls/hr0s05d7e.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\NPROTECT\00014428.zip/dlls/jt2607fse.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\NPROTECT\00014428.zip/dlls/suarddlg.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\NPROTECT\00014428.zip ZIP: infected - 3 skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP1\A0000139.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP1\A0000140.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP1\A0000141.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP1\A0000142.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP1\A0000143.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP1\A0000144.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP1\A0000145.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP2\A0000230.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP2\A0000245.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP2\A0000501.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP2\A0000502.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP2\A0000503.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP2\A0000504.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP2\A0000505.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP2\A0000506.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP2\A0000507.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP2\A0000508.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{0C944A27-960E-46CB-A547-BF4646F7549C}\RP2\A0000509.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped

Scan process completed.

Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:00:21, 06/03/2006
+ Report-Checksum: C9A0FC3F

+ Scan result:

HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.258:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.259:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.260:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.301:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.302:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.303:C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\gt7jwic5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
C:\l2mfix\backup.zip/dlls/hr0s05d7e.dll -> Adware.Look2Me : Error during cleaning
C:\l2mfix\backup.zip/dlls/jt2607fse.dll -> Adware.Look2Me : Error during cleaning
C:\l2mfix\backup.zip/dlls/suarddlg.dll -> Adware.Look2Me : Error during cleaning
C:\l2mfix\dlls\hr0s05d7e.dll -> Adware.Look2Me : Cleaned with backup
C:\l2mfix\dlls\jt2607fse.dll -> Adware.Look2Me : Cleaned with backup
C:\l2mfix\dlls\suarddlg.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00012960.exe -> Adware.AdURL : Cleaned with backup
C:\RECYCLER\NPROTECT\00014052.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00014079.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00014203.DLL -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00014204.DLL -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00014205.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00014426.zip/dlls/hr0s05d7e.dll -> Adware.Look2Me : Error during cleaning
C:\RECYCLER\NPROTECT\00014426.zip/dlls/jt2607fse.dll -> Adware.Look2Me : Error during cleaning
C:\RECYCLER\NPROTECT\00014426.zip/dlls/suarddlg.dll -> Adware.Look2Me : Error during cleaning
C:\RECYCLER\NPROTECT\00014428.zip/dlls/hr0s05d7e.dll -> Adware.Look2Me : Error during cleaning
C:\RECYCLER\NPROTECT\00014428.zip/dlls/jt2607fse.dll -> Adware.Look2Me : Error during cleaning
C:\RECYCLER\NPROTECT\00014428.zip/dlls/suarddlg.dll -> Adware.Look2Me : Error during cleaning
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup


::Report End
peor is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2006, 04:05 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,335
OS: N/A


Please read this post completely before begining the fix.


Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

Host.zip - Extract the contents into it's own folder. Double click MVPS.bat & allow it to run.

Right click on this & select 'Save As' - DNSManual.bat
Double-click DNSManual.bat & allow it to run.

SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\l2mfix\
Delete the contents of this folder, leaving it empty:
  • C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\
    C:\RECYCLER\NPROTECT\

Let me know if you had any difficulties with the above
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2006, 04:31 PM   #7 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 7
OS: XP


Hi Again

All done except there is one file (NPROTECT.LOG) left in C:\RECYCLER\NPROTECT\. It won't let me delete this.

Do I need to post any logs again?

Thanks
Peor
peor is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2006, 04:33 PM   #8 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,335
OS: N/A


Right click on your recycle bin & select 'empty Norton Recycle Bin'

Post a new HJT log after that
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2006, 04:40 PM   #9 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 7
OS: XP


Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 23:39:41, on 06/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130192207765
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...08/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{760CEC75-2FC1-4673-AD49-C5CA9F7333EF}: NameServer = 158.152.1.58 158.152.1.43
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
peor is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2006, 04:50 PM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,335
OS: N/A


Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

  1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  6. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2006, 05:07 PM   #11 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 7
OS: XP


Wahay! This is the most useful, efficient forum I have ever used!

I have followed steps 1-3. I have Norton Antivirus, Windows Firewall, Spybot Search & Destroy and Ad-Aware installed and I'll follow your advice.

Thanks again for all your help!
peor is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:58 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85