Can't remove spyware

Discussion in 'Windows - Virus and spyware problems' started by mav41, Dec 4, 2007.

  1. mav41

    mav41 Member

    Joined:
    Nov 6, 2007
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    16
    I was using Limewire and all of a sudden 3 icons appear on my desktop.


    Error Cleaner
    Privacy Protector
    Spyware & Malware Protection

    These are the 3 icons that appeared. And I am also getting popups trying to get me to download spyware protection even when offline.
    I would really appreciate any help.
     
  2. wrules

    wrules Regular member

    Joined:
    Nov 20, 2006
    Messages:
    315
    Likes Received:
    0
    Trophy Points:
    26
  3. wrules

    wrules Regular member

    Joined:
    Nov 20, 2006
    Messages:
    315
    Likes Received:
    0
    Trophy Points:
    26
    post back so i can see if it got rid of your problem
     
  4. mav41

    mav41 Member

    Joined:
    Nov 6, 2007
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    16
    Thank you for responding, but neither worked.

    I tried Spyware Doctor, and the description of the things that it found affecting my computer seem pretty accurate, but I have to buy it so it can remove them. So I was wondering if there's any way I can get it for free. Or any similar software.
     
  5. shiloh72

    shiloh72 Guest

    Try www.spywareterminator.com download then make sure its updated then reboot your computer in safe mode and run the proram it has never failed me.
     
  6. mav41

    mav41 Member

    Joined:
    Nov 6, 2007
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    16
    I tried it and it did'nt work. I'll probably buy the Spyware doctor it's only $30. I'll still try any suggestions if anybody has any.


     
  7. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    thats the classic sign of smitfraud.
    i have a some screenshots on my website;

    http://www.virusvault.us/smitfraud_trojan_downloaders.htm

    i would also suggest you get hjt and post a log after you run smitfraud as it can be packaged with other "goodies" that the smitfraud fix will not address.
    -------------------------------------
    Download SmitfraudFix (by S!Ri) to your Desktop:

    http://www.bleepingcomputer.com/files/smitfraudfix.php

    you might want to copy/paste this into notepad and save it so you can read it in safe mode:

    boot computer into safe mode.

    to reach safe mode: restart your computer and tap the f8 key during the boot up. chose the first option from the list: safe mode. log on the your regular account.

    locate the smitfraud icon on the desktop and double click it to start.
    from the main option menu, chose the second option (clean). after smitfraud runs-- disk clean will run, last when asked if you want to clean the registry, select y (yes) then enter. computer will reboot and after the restart produce a log. please save the log somewhere.

    post the smitfraud log and a hjt log.

    echoreply
     
  8. shiloh72

    shiloh72 Guest

    Well good luck I hope you get it fixed
     
  9. wrules

    wrules Regular member

    Joined:
    Nov 20, 2006
    Messages:
    315
    Likes Received:
    0
    Trophy Points:
    26
    try, http://free.grisoft.com/doc/20/lng/us/tpl/v5
    that is avg anti-spyware(free version). This version of AVG Anti Spyware features the same powerful scanner as the paid for version does, only this version will not watch your computer in real time, this is one of the best on demand scanners.
     
  10. mav41

    mav41 Member

    Joined:
    Nov 6, 2007
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    16
    This is what came up after i did what you said. I did'nt try hjt, it said it could do more harm than good if you don't know how to use it.






    [SmitFraudFix v2.258

    Scan done at 13:43:32.84, Thu 12/06/2007
    Run from C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{BA2D26AE-8B5B-463B-9162-ADC3FFB93BE1}: DhcpNameServer=192.168.1.254
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{BA2D26AE-8B5B-463B-9162-ADC3FFB93BE1}: DhcpNameServer=192.168.1.254
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{BA2D26AE-8B5B-463B-9162-ADC3FFB93BE1}: DhcpNameServer=192.168.1.254
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End








     
  11. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    the smitfraud scan looks ok.

    you dont have to really use hjt, just scan with it and post the results for me:

    Download HiJackThis log - Trend Micro HijackThis 2.0.2

    http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

    * Save HJTInstall.exe to your desktop.
    * Doubleclick on the HJTInstall.exe icon on your desktop.
    * By default it will install to C:\Program Files\Trend Micro\HijackThis .
    * Click on Install.
    * It will create a HijackThis icon on the desktop.
    * Once installed, it will launch Hijackthis.
    * Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    * Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log in next reply.

    echoreply
     
  12. mav41

    mav41 Member

    Joined:
    Nov 6, 2007
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    16
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:21:31 PM, on 12/7/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\ARPWRMSG.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\WINDOWS\system32\wuauclt.exe
    c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\HP\KBD\KBD.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AudioGizmo Toolbar Helper - {5980B104-CA68-4A9F-9E78-80ADBD2CA53B} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: AudioGizmo Toolbar - {C6BB606F-232D-4957-8AFF-7D4F4A220F67} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm021YYUS
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
     
  13. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
  14. mav41

    mav41 Member

    Joined:
    Nov 6, 2007
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    16
    Sorry I took so long.



    ComboFix 07-12-12.3 - HP_Administrator 2007-12-11 21:00:59.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.91 [GMT -8:00]
    Running from: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\PARRS8BS\ComboFix[1].exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\internet explorer\msimg32.dll
    C:\WINDOWS\dat.txt
    C:\WINDOWS\rs.txt
    C:\WINDOWS\system32\f3PSSavr.scr
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
    .

    2007-12-11 20:49 . 2007-12-11 20:49 <DIR> d-------- C:\WINDOWS\LastGood
    2007-12-07 12:21 . 2007-12-07 12:21 <DIR> d-------- C:\Program Files\Trend Micro
    2007-12-06 14:02 . 2007-12-06 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-12-06 13:33 . 2007-12-06 13:43 3,894 --a------ C:\WINDOWS\system32\tmp.reg
    2007-12-06 12:58 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2007-12-06 12:58 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-12-06 12:58 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-12-06 12:58 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-12-06 12:58 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2007-12-04 00:12 . 2007-12-11 20:50 <DIR> d-------- C:\Program Files\Spyware Doctor
    2007-12-04 00:12 . 2007-12-04 00:12 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\PC Tools
    2007-12-04 00:12 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2007-12-04 00:12 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2007-12-04 00:12 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2007-12-04 00:12 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2007-12-03 23:45 . 2007-12-03 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
    2007-12-02 23:47 . 2007-12-02 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
    2007-12-02 23:47 . 2007-12-02 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
    2007-12-02 21:49 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2007-11-30 00:31 . 2007-11-30 00:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-11-30 00:31 . 2007-11-30 00:31 1,409 --a------ C:\WINDOWS\QTFont.for
    2007-11-25 20:30 . 2007-11-25 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
    2007-11-23 13:32 . 2007-11-23 13:32 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Viewpoint
    2007-11-17 23:20 . 2007-11-17 23:20 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\MySpace

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-09 06:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
    2007-12-07 20:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-12-07 19:36 --------- d-----w C:\Program Files\Norton Internet Security
    2007-12-07 19:32 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-12-07 19:32 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
    2007-12-07 19:32 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-12-07 19:32 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-12-07 19:32 --------- d-----w C:\Program Files\Symantec
    2007-12-03 02:20 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
    2007-12-02 21:56 21,556 ----a-w C:\Documents and Settings\HP_Administrator\xrt_log.dat
    2007-11-23 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-11-08 23:41 --------- d-----w C:\Program Files\DVDFab HD Decrypter 3
    2007-11-08 22:51 --------- d-----w C:\Program Files\Elaborate Bytes
    2007-11-08 21:22 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\RipIt4Me
    2007-11-07 22:58 --------- d-----w C:\Program Files\Digital Photo Recovery
    2007-11-06 08:33 --------- d-----w C:\Program Files\GetData
    2007-11-03 18:32 --------- d-----w C:\Program Files\SBC Self Support Tool
    2007-11-03 18:32 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Motive
    2007-11-02 08:13 --------- d-----w C:\Program Files\LimeWire
    2007-10-31 18:52 19,818 ----a-w C:\Documents and Settings\HP_Administrator\xrt_collect.zip
    2007-10-26 05:01 --------- d-----w C:\Program Files\Java
    2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
    2007-10-24 18:53 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\TuneUp Software
    2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\y8lcr4ox.exe
    2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\tp5kji4s.exe
    2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\qxqiny84.exe
    2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\q2x3c0sm.exe
    2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\gr1tbk7a.exe
    2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\8a2t4lwu.exe
    2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\156wooq4.exe
    2007-10-23 00:20 36,864 ----a-w C:\WINDOWS\l8ttvcks.exe
    2007-10-23 00:20 36,864 ----a-w C:\Documents and Settings\HP_Administrator\xrt_wtyo.exe
    2007-10-13 17:19 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Netscape
    2007-10-13 05:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
    2007-10-13 05:19 --------- d-----w C:\Program Files\HP Games
    2007-10-13 02:31 --------- d-----w C:\Program Files\Windows Media Connect 2
    2007-10-12 02:09 --------- d-----w C:\Program Files\Common Files\Motive
    2007-10-11 00:45 155,995 ----a-w C:\WINDOWS\java\Packages\3RJLJ1JZ.ZIP
    2007-10-03 20:59 958 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
    2007-10-01 22:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
    2007-10-01 22:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
    2006-02-19 10:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5980B104-CA68-4A9F-9E78-80ADBD2CA53B}]
    2007-03-28 21:18 798720 --a------ C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{C6BB606F-232D-4957-8AFF-7D4F4A220F67}"= C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll [2007-03-28 21:18 798720]

    [HKEY_CLASSES_ROOT\clsid\{c6bb606f-232d-4957-8aff-7d4f4a220f67}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{C6BB606F-232D-4957-8AFF-7D4F4A220F67}"= C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll [2007-03-28 21:18 798720]

    [HKEY_CLASSES_ROOT\clsid\{c6bb606f-232d-4957-8aff-7d4f4a220f67}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 13:00]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 21:25]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 16:43]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 15:19 C:\WINDOWS\arpwrmsg.exe]
    "HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 15:35]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 14:14]
    "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
    "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 14:34]
    "Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-13 18:23]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-15 10:18]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-14 00:45]
    "RTHDCPL"="RTHDCPL.EXE" [2006-03-07 20:54 C:\WINDOWS\RTHDCPL.EXE]
    "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 20:26]
    "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 15:19]
    "Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 06:51]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
    "SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2007-10-10 20:56:24]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44]
    Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-05-14 01:06:58]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
    "DiscUpdateManager"=C:\Program Files\DISC\DiscUpdMgr.exe
    "DISCover"=C:\Program Files\DISC\DISCover.exe


    *Newly Created Service* - CATCHME
    *Newly Created Service* - COMHOST
    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-03 00:15:02 C:\WINDOWS\Tasks\1-Click Maintenance.job"
    - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
    "2007-07-09 14:52:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-12-12 04:59:10 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
    - C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
    "2007-11-24 04:42:34 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job"
    - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-11 21:05:45
    Windows 5.1.2600 Service Pack 2 NTFS

    detected NTDLL code modification:
    ZwClose

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-12-11 21:07:15
    .
    2007-11-13 21:21:00 --- E O F ---
     
  15. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    ok thanks for the info. i will get back to you soon.

    echoreply
     
  16. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    Open Notepad - it must be Notepad, not Wordpad.
    Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

    Code:
    File::
    
    C:\WINDOWS\y8lcr4ox.exe
    C:\WINDOWS\tp5kji4s.exe
    C:\WINDOWS\qxqiny84.exe
    C:\WINDOWS\q2x3c0sm.exe
    C:\WINDOWS\gr1tbk7a.exe
    C:\WINDOWS\8a2t4lwu.exe
    C:\WINDOWS\156wooq4.exe
    C:\WINDOWS\l8ttvcks.exe
    Go to the Notepad window and click Edit > Paste
    Then click File > Save
    Name the file "CFScript.txt" (including the quotes)
    Save the file to your Desktop

    next;
    locate the .txt file you just saved and the combofix icon both on the desktop. left click with the mouse on the CFScript.txt and holding down the mouse button drag the .txt right on top of the combofix icon and release the mouse button.
    combofix will run and generate a new report. post the new log in next reply.

    also using explorer look here:
    C:\Documents and Settings\HP_Administrator\
    and delete this file: xrt_wtyo.exe

    reboot once then rescan and post a new hjt log please.

    ----------------------------
     
  17. mav41

    mav41 Member

    Joined:
    Nov 6, 2007
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    16
    I did the thing with combofix and after the reboot my taskbar and start menu changed to the old version and i can't go online. I'm writing this on a different PC.I really need help as soon as possible, PLEASE.
     
  18. mav41

    mav41 Member

    Joined:
    Nov 6, 2007
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    16
    I tried using system restore and it this is what it says.


    System Restore is not able to protect your computer.Please restart your computer, and then run System Restore again.



    I'm trying to restore to a point before I used Combofix.


    Please Help.
     
  19. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    system restore should never be used in the middle of a malware fix and not at all until the computer is clean. malware can get archived in the restore points and you can re-infect yourself by using system restore.
     
  20. mav41

    mav41 Member

    Joined:
    Nov 6, 2007
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    16
    So what can I do, and why can't I go online.


    Please Help.
     

Share This Page