"Can not find script file "C:\.....\.tt2.tmp.vbs" could someone please help?

Dear afterdawn members,

I was wondering if anyone could help me iron this problem out? There seems to be a few others experiencing this problem, which starts on start up with the message:"Can not find script file "C:\Documents and Settings\Owner\Local Settings\Temp\.tt2.tmp.vbs"

My computer symptoms are identical to to member "Kyle1770" who has also reported his problem in the forum.

Basically, after this message on startup, the computer will cycle between blue screens and an XP startup screen. The computer is not actually starting up however, and this routine can be broken with control-alt-delete. This cycle begins after say 5-10mins of inactivity.


Zonealarm indicates to me that two .exe's are attempting to reach the internet, which i don't recall seeing before. These are;

lphcp60j0ev65.exe
destination IP: 209.62.87.157NS

and

searchsettings.exe
destination IP: 85.255.115.60NS

i have denied access permission to these files.

Also of note, AVG has removed C:\windows\system32\phcp60j0ev65.bmp from my computer today stating it to be a trojan horse.

upon member "Fredil"'s recommendation, I have done the following to assist with determining the problem;

1) Run ATF cleaner
2) Run Kaspersky webscanner (please find log below. Note that this did not allow viruses, worms,trojans or rootkits to be scanned for but did scan for spyware, adware, dialers & others)
3) have not updated windows- i am Xp service pack 2
4) Rebooted & immediately run hijack this (please find log below)

If anyone could find the time to help me out with this one, it would be really, really appreciated.

thanks,
Bushyaus

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 15, 2008 08:36:46
Records in database: 954940
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
J:\

Scan statistics:
Files scanned: 114461
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:37:08


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3E697194.wmf Infected: Exploit.Win32.IMG-WMF.v 1
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Downloads\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.

:::::::::::::::::::::::::::::::::::::::::::::::::::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:13 PM, on 15/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\Crypserv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\LiscadUpdate.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\lphcp60j0ev65.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\AVG\AVG8\avgui.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=PAVILION&pf=desktop
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb126\SearchSettings.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb126\SearchSettings.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [lphcp60j0ev65] C:\WINDOWS\system32\lphcp60j0ev65.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://isvprod1.landonline.com.au/ecwplugins/ncs.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2258F772-8216-4C75-B427-A9BDA4C3F328}: NameServer = 85.255.115.60,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1ED57DB-54BC-4A28-882E-3073C1B6101A}: NameServer = 85.255.115.60,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{E883CC4B-65E5-4D5A-B80C-4A4A4E947F58}: NameServer = 85.255.115.60,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.60 85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.60 85.255.112.87
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\system32\Crypserv.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LISCAD Update (LISCADUpdate) - LISTECH Pty. Ltd. - C:\WINDOWS\system32\LiscadUpdate.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12857 bytes

 

Hello bushyaus, welcome to afterdawn.

My handle is 2oldGeek and I will help you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


First, let’s do a little Pre-Cleaning and Post some Logs so we can see what’s going on…

• Close HijackThis and rename it.
• Go to C:\Program Files\Trend Micro\HijackThis.exe
• Right click on HijackThis.exe and select Rename.
• Type in scanner.exe and press Enter.
• Right-click on scanner.exe and select Send To > Desktop (create shortcut)
• From the desktop open Hijackthis. (aka scanner)
• If using Windows Vista, Right-click and Run As Administrator.
• Click on the Do a system scan and save a log file button
• Hijackthis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
• Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Although we have renamed Hijackthis to scanner.exe, we will still refer to it as Hijackthis or HJT.



Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download and install SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
• Under the "Configuration and Preferences", click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.


Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.

Reboot to Normal Mode

• To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.


Make a HijackThis Log

• From the desktop open Hijackthis.
• If using Windows Vista, Right-click and Run As Administrator.
• Click on the Do a system scan and save a log file button
• Hijackthis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required



Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.



Please post the HijackThis log, SUPERAntiSpyware Log and Uninstall list in your next reply.



2OG

 

Dear 2oldGeek,

Thanks very much for your reply. My partner and I have decided that we are uncomfortable with accessing the net until this problem is fixed, so unfortunately i will have to decline your generous offer of help.

I have read a great deal of what you have done to help out others on the forum and think it is fantastic and inspirational.

thanks again,

Bushyaus

 

bushyaus,

Your decision buddy. Just hope it works out and you don’t loose too much data in the process.

After this, consider installing an Imaging program like Acronis (the best) or one of the free ones.

I use it to back up my entire HD everyday and it only takes about 4 minutes. If I ever get a virus, Trojan, etc. I can restore my HD to a good point in the same time, about 4 minutes. It’s like reformat/reinstall without any hastle and you don’t loose any more than about 24hrs of work…..

2OG

p.s. My first 3 rules of using a PC on the internet are 1. Backup 2. Backup and 3. Backup ; )

 

thanks 2OG,

I'll take your advice on-board. You're exactly right, it's about time i started backing up rather than just thinking "it'd be bad if i lost everything one day". All my problems have allegedly been sorted out at the shop, so fingers crossed..

thanks mate,
bushyaus

 

G’day Mate,

Here’s a little food for thought……
As I told you, I use Acronis True Image to back up this computer everyday. That’s because I am constantly changing it and running tests with malware removal techniques.
Since I have learned to block malware, and never get any except what I download myself, from time to time I will go to sites that I know will infect me with a Trojan or other malware then I will hunt that sucker down and figure out the best way to remove it..
When I’m through, I simply restore my main drive back like it was.

Removal techniques are just a hobby with me now and I do enjoy helping the poor victims of malware in any way I am able.

My boot drive contains nothing except the OS and the applications that I use.
My second drive contains my backup for my main drive and all my data ie. My Documents files have been moved to the second drive. That way if my main drive ever goes down, I won’t loose any of my data files, pictures, movie clips or the image of my Main drive. I can simply stick in a new drive and Image it exactly like my old one..

I setup the computers at my work place the same way except they are not backed up as often because the applications don’t change. The backup drive for the data however, is backed up on a regular schedule to an external drive.

After years of loosing data, I find that this solution works for me. I haven’t lost anything in years now. I have all the computers I am in charge of blocked from malware but if anything happens to slip through, it’s covered with a 4 minute restore back to the original system, with all the programs intact and no reinstalling required…..

Like I said, bushyaus, just some food for thought.. : )

2oG

 

hey 2OG,

i see that you have figured out i'm from the land down under. Thanks for the extra advice. I have been wondering however, if this backup system mirrors my hard drive, then it could be quite likely that i would also be backing up any malware that i am not aware of at the time. Therefore, if i have a terminal problem one day and go to restore from my previous day backup, it may be likely that i am just going back to the calm before the storm, yes?

What are your recommendations for backing up- have a recent backup (daily/weekly) & a longer term backup (3 monthly?) as well?

ps: my computer does not seem to have been healed by the guys at the shop, so i guess i'll be taking it back. not a happy camper...

catch up soon

bushyaus

 

I know I was confusing with my last post so, let me lay it out a little better… LOL

When I set up a computer to start using:

1. I tweak windows and delete everything that I feel is un-necessary on a clean install.

2. I install all the applications (programs) that I will be using on that machine.

3. I move the My Documents folder to the second drive so it will not be intermixed with the operating system.

4. Once My Documents has been moved, the System disk will contain only the OS and the Apps. I use Acronis to make a Master back up of the drive so I always have the Master copy to fall back on if I become infected. The backup can be kept on the 2nd drive or a usb drive. It’s possible to keep it in a special partition on the main drive that Acronis can set up but I don’t like that option because if the main drive locks up, you’ve lost your backup…..

5. Acronis can be setup to make Incremental backups, that is, it just backs up the changes, if any, that have occurred since the last backup. This takes less space than copying a full drive…

6. On the business machines, I set Acronis to backup the My Documents Folder (Data) each day. That way I am only 24 hours behind if anything happens. It’s backed up to a usb drive.

7. I keep a record of any changes to the OS or Apps that I make and only do a backup of the main drive after I have made any changes…

I hope that clarifies some of it.. I have been doing it so long now that its second nature and I don’t even think about it anymore. ; )

Any questions? Just give me a shout…

Regards,
2OG

 

hi 2oldgeek

my laptop has the same syptoms as bushyaus,i've done everyhing that you stated to do and here are my logs

this is the first hijack this list

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:54 AM, on 2008/08/26
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\s3trayp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iBurst Dashboard V2\DashboardLauncher.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\Windows\FSScrCtl.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conime.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Users\yetti\Desktop\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.yetticustoms.com/Login.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VistaADeck\HDAudioCPL.exe 1
O4 - HKLM\..\Run: [lphcnutj0ev9r] C:\Windows\system32\lphcnutj0ev9r.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [lphcnutj0ev9r] C:\Windows\system32\lphcnutj0ev9r.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dashboard Launcher.lnk = ?
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O4 - Global Startup: Screen Saver Control.lnk = C:\Windows\FSScrCtl.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.18\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217835484317
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7347 bytes


and here is the superantispyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/25/2008 at 11:03 PM

Application Version : 4.20.1046

Core Rules Database Version : 3546
Trace Rules Database Version: 1535

Scan type : Complete Scan
Total Scan Time : 01:54:01

Memory items scanned : 230
Memory threats detected : 0
Registry items scanned : 8044
Registry threats detected : 3
File items scanned : 196450
File threats detected : 64

Trojan.FakeAlert/Desktop
HKU\S-1-5-21-926425720-3472655693-2748052185-1000\CONTROL PANEL\DESKTOP#WALLPAPER
HKU\S-1-5-21-926425720-3472655693-2748052185-1000\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER
HKU\S-1-5-21-926425720-3472655693-2748052185-1000\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER

Adware.Tracking Cookie
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@2o7[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@ad.lookery[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@ad.yieldmanager[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@ad1.clickhype[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@ad2.doublepimp[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@adbrite[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@adecn[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@adopt.euroclick[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@adrevolver[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@ads.bleepingcomputer[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@ads.communitycompetence[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@adtech[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@adultadworld[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@adv.xboard[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@adv.xboard[3].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@advertising[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@affiliates.trafficsynergy[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@atdmt[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@atlassian.122.2o7[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@atwola[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@banners.adventory[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@bs.serving-sys[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@burstnet[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@cartoonpornguide[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@counter.hitslink[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@counter13.sextracker[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@doubleclick[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@dropdeadsexypinups[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@fastclick[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@hentaicounter[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@hotlog[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@i-draw-porn[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@imrworldwide[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@kontera[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@linkto.mediafire[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@media.adrevolver[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@mediafire[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@metacafe.122.2o7[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@msnportal.112.2o7[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@paycounter[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@pro-market[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@r-kimedia.co[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@revsci[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@roiservice[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@rotator.adjuggler[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@serving-sys[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@sextracker[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@smartadserver[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@socialmedia[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@specificclick[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@sr.kitnmedia[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@statcounter[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@stats.adbrite[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@tacoda[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@toplist[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@tribalfusion[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@www.burstnet[2].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@www.googleadservices[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@www.mywebstats[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@www.webpagecounter[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@www1.addfreestats[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@www3.addfreestats[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@xiti[1].txt
C:\Users\yetti\AppData\Roaming\Microsoft\Windows\Cookies\Low\yetti@yadro[1].txt


this is the next hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:54 AM, on 2008/08/26
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\s3trayp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iBurst Dashboard V2\DashboardLauncher.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\Windows\FSScrCtl.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conime.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Users\yetti\Desktop\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.yetticustoms.com/Login.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VistaADeck\HDAudioCPL.exe 1
O4 - HKLM\..\Run: [lphcnutj0ev9r] C:\Windows\system32\lphcnutj0ev9r.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [lphcnutj0ev9r] C:\Windows\system32\lphcnutj0ev9r.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dashboard Launcher.lnk = ?
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O4 - Global Startup: Screen Saver Control.lnk = C:\Windows\FSScrCtl.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.18\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217835484317
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7347 bytes


and finally here is the unistall log

Absolut Chess 1.4.6
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 6.0.2
Adobe Stock Photos 1.0
ALPS Touch Pad Driver
AngelPotion Video Codec V1
Applian FLV Player
Autodesk 3ds Max 8
Autodesk 3ds Max 8 Reference Files
Autodesk DWF Viewer
AVG Free 8.0
Backburner
BSPlayer
CpuIdle (remove only)
DivX Pro Codec
DVD Shrink 3.2
Easy DVD Maker 3.2.25
Easy Video Converter 7.2.1
FirstSteps Diagnostics
Flash Games 1.0
Flash Games 2006 1.0
Flash Player 8.0.22.0
Guitar Pro 5.2
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hot Rod Cars Scenic Reflections Screen Saver
Hot Rod Cars Scenic Reflections Screen Saver
iBurst Dashboard V2
iBurst Terminal
iClone SE - Fantasy Experience
InterVideo WinDVD 8
K-Lite Codec Pack 2.20 Full
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
MahJong Suite 2005 2.8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Monopoly Here & Now
MP3 Player Utilities 4.18
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero 7 Ultra Edition
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
Pdf995
PdfEdit995
PowerDVD
PowerISO
QuickTime
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Spybot - Search & Destroy
Stardust Screen Saver Control 2.1.60
Stardust Screen Saver QuickStart 2.1
SUPERAntiSpyware Free Edition
Switch
VeZA Route planner
VIA Chrome9 HC IGP Windows Vista Display
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
Virtual DJ - Atomix Productions
Windows Media Player 11.0.5358.4826
WinRAR archiver

i am runing windows vista 32bit superantispyware found numerous infections,and removed them now when i restarted there was no c:\...\*.tmp.vbs access denied message but i still have no access to my change background option, please any help will be appreciated

 

@ genocide,

When you think you have the same problems as someone else, you probably don’t. All computers are different and need different cleanup programs and methods of applying them. You are running Vista and bushyaus has XP, big difference.

Let’s step back and do it over. I don’t need the uninstall list again. But I do need the following:


Download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

• If an update is found, it will download and install the latest version.

• Once the program has loaded, select Perform full scan, then click Scan.

• When the scan is complete, click OK, then Show Results to view the results.

• Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.

• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

Next:

Download ComboFix from Here

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.


Please post the MBAM Log, ComboFix Log and a fresh HJT log in your next reply.



2OG