Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Homepage Change and Redirects

Started by KMM , Feb 10 2007 03:01 PM

  • This topic is locked This topic is locked
12 replies to this topic

#1 KMM

KMM

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 10 February 2007 - 03:01 PM

I posted my problem earlier, but I read a post that looked like a similar problem. My homepage keeps getting changed to Google, and if I do any search it redirects me to unwanted sites. Help!!!!

Thanks in advance to anyone who can help save my sanity.

--KMM


Fixwareout file:

»»»»» System restarted
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

»»»»» Misc files.

»»»»» Checking for older varients.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"System"=""
»»»»»

PLEASE NOTE, There CAN be LEGITIMATE FILES LISTED IN THIS SECTION.

This WILL/CAN also list Legit Files, Submit them at Virustotal
Search five digit cs, dm kd and jb files.
»»»»»
»»»»» Current runs

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"PCTVOICE"="pctspk.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"DadApp"="C:\\WINDOWS\\SYSTEM32\\Drivers\\dadapp.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"nwiz"="nwiz.exe /installquiet"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RegistryMechanic"=""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"GoGoTray.exe"="C:\\Program Files\\GoGoData.com\\GoGoData Toolbar\\GoGoTray.exe"

Hosts file was reset, If you use a custom hosts file please replace it







HijackThis File:



Logfile of HijackThis v1.99.1
Scan saved at 3:51:45 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.EXE
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Ken\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\System32\ipv6mote.dll
O2 - BHO: Still Image - {3C657AAF-22D9-5A16-E17D-31457D631863} - (no file)
O2 - BHO: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GoGoTray.exe] C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra 'Tools' menuitem: GoGoData AdBuster - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170314595386
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = esu.esu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = esu.esu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = esu.esu
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 February 2007 - 09:28 AM

Hello and welcome to the forums

Please go HERE and do a online scan.
Let me know what is found.


* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 KMM

KMM

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 11 February 2007 - 07:25 PM

Thank you, thank you, thank you for your help!

I tried three times to do a f-secure scan, but each time it either froze or went to an error when it came time to fix problems. The last time it got to virus 33 of 46.

Here is the Combofix log:

"Ken" - 07-02-11 20:04:09 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\Ken\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))


2007-02-11 12:03 <DIR> d-------- C:\WINDOWS\LastGood
2007-02-11 09:52 <DIR> d-------- C:\WINDOWS\pss
2007-02-10 15:21 <DIR> d-------- C:\fixwareout
2007-02-07 21:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\CA
2007-02-07 21:39 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-02-07 21:39 <DIR> d-------- C:\Program Files\CA
2007-02-06 23:49 <DIR> d-------- C:\Program Files\GoGoData.com
2007-02-06 21:09 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\Help
2007-02-06 01:35 <DIR> d-------- C:\WINDOWS\WBEM
2007-02-06 01:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\en-US
2007-02-06 01:31 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-02-06 01:28 121,856 --------- C:\WINDOWS\SYSTEM32\xmllite.dll
2007-02-05 23:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-02-05 23:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-02-02 09:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-02-02 08:35 <DIR> d-------- C:\WINDOWS\Prefetch
2007-02-02 00:05 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-02-01 23:59 <DIR> d-------- C:\WINDOWS\provisioning
2007-02-01 23:59 <DIR> d-------- C:\WINDOWS\peernet
2007-02-01 23:49 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-02-01 23:35 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-02-01 23:27 <DIR> d-------- C:\WINDOWS\EHome
2007-02-01 23:01 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2007-02-01 23:01 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
2007-02-01 20:46 90,112 --a------ C:\WINDOWS\SYSTEM32\AVASTSS.scr
2007-02-01 19:46 94,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-02-01 19:46 85,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-02-01 19:46 689,280 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-02-01 19:46 43,176 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-02-01 19:46 31,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-02-01 19:46 23,352 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-02-01 19:46 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-02-01 19:45 <DIR> d-------- C:\Program Files\Alwil Software
2007-02-01 08:34 77,312 --a------ C:\WINDOWS\SYSTEM32\browser.dll
2007-02-01 08:34 614,912 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2007-02-01 08:34 39,936 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-02-01 08:34 331,264 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2007-02-01 08:31 956,416 --a------ C:\WINDOWS\SYSTEM32\msdtctm.dll
2007-02-01 08:31 947,472 --a------ C:\WINDOWS\SYSTEM32\msjava.dll
2007-02-01 08:31 91,136 --a------ C:\WINDOWS\SYSTEM32\mtxoci.dll
2007-02-01 08:31 66,560 --a------ C:\WINDOWS\SYSTEM32\mtxclu.dll
2007-02-01 08:31 63,248 --a------ C:\WINDOWS\SYSTEM32\javaprxy.dll
2007-02-01 08:31 625,152 --a------ C:\WINDOWS\SYSTEM32\catsrvut.dll
2007-02-01 08:31 60,416 --a------ C:\WINDOWS\SYSTEM32\colbact.dll
2007-02-01 08:31 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-02-01 08:31 581,120 --a------ C:\WINDOWS\SYSTEM32\rpcrt4.dll
2007-02-01 08:31 540,160 --a------ C:\WINDOWS\SYSTEM32\comuid.dll
2007-02-01 08:31 49,424 --a------ C:\WINDOWS\SYSTEM32\clspack.exe
2007-02-01 08:31 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-02-01 08:31 426,496 --a------ C:\WINDOWS\SYSTEM32\msdtcprx.dll
2007-02-01 08:31 404,752 --a------ C:\WINDOWS\SYSTEM32\javart.dll
2007-02-01 08:31 397,824 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll
2007-02-01 08:31 313,856 --a------ C:\WINDOWS\SYSTEM32\dx3j.dll
2007-02-01 08:31 286,992 --a------ C:\WINDOWS\SYSTEM32\vmhelper.dll
2007-02-01 08:31 243,200 --a------ C:\WINDOWS\SYSTEM32\es.dll
2007-02-01 08:31 225,792 --a------ C:\WINDOWS\SYSTEM32\catsrv.dll
2007-02-01 08:31 21,264 --a------ C:\WINDOWS\SYSTEM32\msjdbc10.dll
2007-02-01 08:31 187,152 --a------ C:\WINDOWS\SYSTEM32\javacypt.dll
2007-02-01 08:31 172,304 --a------ C:\WINDOWS\SYSTEM32\jview.exe
2007-02-01 08:31 171,792 --a------ C:\WINDOWS\SYSTEM32\wjview.exe
2007-02-01 08:31 171,280 --a------ C:\WINDOWS\SYSTEM32\jit.dll
2007-02-01 08:31 161,280 --a------ C:\WINDOWS\SYSTEM32\msdtcuiu.dll
2007-02-01 08:31 154,384 --a------ C:\WINDOWS\SYSTEM32\msawt.dll
2007-02-01 08:31 15,120 --a------ C:\WINDOWS\SYSTEM32\jdbgmgr.exe
2007-02-01 08:31 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2007-02-01 08:31 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2007-02-01 08:31 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2007-02-01 08:31 110,080 --a------ C:\WINDOWS\SYSTEM32\clbcatex.dll
2007-02-01 08:31 101,376 --a------ C:\WINDOWS\SYSTEM32\txflog.dll
2007-02-01 08:31 1,285,120 --a------ C:\WINDOWS\SYSTEM32\ole32.dll
2007-02-01 08:31 1,267,200 --a------ C:\WINDOWS\SYSTEM32\comsvcs.dll
2007-02-01 08:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-02-01 08:10 <DIR> d-------- C:\Program Files\Registry Mechanic
2007-02-01 07:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-02-01 07:29 8,192 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-02-01 07:29 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-02-01 07:29 438,784 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-02-01 07:29 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-02-01 07:28 351,232 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-02-01 02:26 465,176 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-02-01 02:26 41,240 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-02-01 02:26 194,328 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll
2007-02-01 02:26 18,200 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-02-01 02:26 172,312 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe
2007-02-01 02:26 127,256 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-02-01 02:23 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-02-01 02:22 <DIR> d---s---- C:\DOCUME~1\MATTG~1\UserData
2007-02-01 01:48 <DIR> d-------- C:\Program Files\STOPzilla!
2007-02-01 01:48 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-02-01 01:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\ZILLAbar
2007-02-01 01:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\STOPzilla!
2007-02-01 01:15 49,152 --a------ C:\WINDOWS\SYSTEM32\socks_dll.dll
2007-02-01 01:13 1,046 --a------ C:\WINDOWS\SYSTEM32\tpgdhsol.exe
2007-02-01 01:13 1,046 --a------ C:\WINDOWS\SYSTEM32\nxqoaaaa.exe
2007-02-01 01:13 1,046 --a------ C:\WINDOWS\SYSTEM32\mxhqplwj.exe
2007-02-01 01:13 1,046 --a------ C:\WINDOWS\SYSTEM32\jkuyaiau.exe
2007-02-01 01:13 1,046 --a------ C:\WINDOWS\SYSTEM32\aeelraaa.exe
2007-02-01 00:41 94,208 --a------ C:\WINDOWS\SYSTEM32\euirjaaa.exe
2007-02-01 00:41 1,046 --a------ C:\WINDOWS\SYSTEM32\rscraaaa.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-10 15:23 503296 --a------ C:\WINDOWS\SYSTEM32\winlogon.exe
2007-02-06 08:13 -------- d---s---- C:\DOCUME~1\Ken\Application Data\microsoft
2007-02-06 01:37 -------- d-------- C:\Program Files\messenger
2007-02-01 23:59 -------- d-------- C:\Program Files\movie maker
2007-02-01 23:48 -------- d-------- C:\Program Files\windows nt
2007-02-01 02:27 -------- d--h----- C:\Program Files\windowsupdate
2007-02-01 02:26 28835 --a------ C:\WINDOWS\SYSTEM32\nvmodes.dat
2007-01-04 13:08 -------- d-------- C:\Program Files\lavasoft
2007-01-04 13:08 -------- d-------- C:\DOCUME~1\Ken\Application Data\lavasoft
2006-12-07 17:02 2174976 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"GoGoTray.exe"="C:\\Program Files\\GoGoData.com\\GoGoData Toolbar\\GoGoTray.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PCTVOICE"="pctspk.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"DadApp"="C:\\WINDOWS\\SYSTEM32\\Drivers\\dadapp.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"RegistryMechanic"=""
"nwiz"="nwiz.exe /installquiet"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

? [3568]

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-11 20:14:08


Here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:15:20 PM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ken\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\System32\ipv6mote.dll (file missing)
O2 - BHO: Still Image - {3C657AAF-22D9-5A16-E17D-31457D631863} - (no file)
O2 - BHO: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [GoGoTray.exe] C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra 'Tools' menuitem: GoGoData AdBuster - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170314595386
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Good news: IE did not reset my password to Google when I just started it!

Thanks again,

KMM

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 February 2007 - 07:42 PM

Delete these Files if listed:
C:\WINDOWS\SYSTEM32\tpgdhsol.exe
C:\WINDOWS\SYSTEM32\nxqoaaaa.exe
C:\WINDOWS\SYSTEM32\jkuyaiau.exe
C:\WINDOWS\SYSTEM32\aeelraaa.exe
C:\WINDOWS\SYSTEM32\euirjaaa.exe
C:\WINDOWS\SYSTEM32\rscraaaa.exe
C:\WINDOWS\SYSTEM32\mxhqplwj.exe

Now try the online scan again

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 KMM

KMM

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 12 February 2007 - 09:48 PM

Thanks again. I deleted the files, and I've done the scan two more times. The first time it went all the way through to the fixes before returning an error message. It cleaned all the viruses and the spyware, but it froze up on the last one, which was a "Possible Browser Hijack Attempt." I'll run the scan one more time again tomorrow. KMM

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 February 2007 - 09:50 PM

Ok. Also run another Combofix scan after that :thumbup: So I'll need the combofix and a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 KMM

KMM

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 13 February 2007 - 08:27 PM

Success! I got the F-Secure scan to go all the way through and to remove all the spyware. I ran combofix and HJT, and here are the logs:


ComboFix:


"Ken" - 07-02-13 20:57:19 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\Ken\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-13 to 2007-02-13 ))))))))))))))))))))))))))))))))))


2007-02-13 18:34 <DIR> d-------- C:\WINDOWS\LastGood
2007-02-11 09:52 <DIR> d-------- C:\WINDOWS\pss
2007-02-10 15:21 <DIR> d-------- C:\fixwareout
2007-02-07 21:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\CA
2007-02-07 21:39 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-02-07 21:39 <DIR> d-------- C:\Program Files\CA
2007-02-06 23:49 <DIR> d-------- C:\Program Files\GoGoData.com
2007-02-06 21:09 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\Help
2007-02-06 01:35 <DIR> d-------- C:\WINDOWS\WBEM
2007-02-06 01:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\en-US
2007-02-06 01:31 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-02-06 01:28 121,856 --------- C:\WINDOWS\SYSTEM32\xmllite.dll
2007-02-05 23:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-02-05 23:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-02-02 09:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-02-02 08:35 <DIR> d-------- C:\WINDOWS\Prefetch
2007-02-02 00:05 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-02-01 23:59 <DIR> d-------- C:\WINDOWS\provisioning
2007-02-01 23:59 <DIR> d-------- C:\WINDOWS\peernet
2007-02-01 23:49 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-02-01 23:35 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-02-01 23:27 <DIR> d-------- C:\WINDOWS\EHome
2007-02-01 23:01 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2007-02-01 23:01 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
2007-02-01 20:46 90,112 --a------ C:\WINDOWS\SYSTEM32\AVASTSS.scr
2007-02-01 19:46 94,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-02-01 19:46 85,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-02-01 19:46 689,280 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-02-01 19:46 43,176 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-02-01 19:46 31,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-02-01 19:46 23,352 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-02-01 19:46 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-02-01 19:45 <DIR> d-------- C:\Program Files\Alwil Software
2007-02-01 08:34 77,312 --a------ C:\WINDOWS\SYSTEM32\browser.dll
2007-02-01 08:34 614,912 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2007-02-01 08:34 39,936 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-02-01 08:34 331,264 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2007-02-01 08:31 956,416 --a------ C:\WINDOWS\SYSTEM32\msdtctm.dll
2007-02-01 08:31 947,472 --a------ C:\WINDOWS\SYSTEM32\msjava.dll
2007-02-01 08:31 91,136 --a------ C:\WINDOWS\SYSTEM32\mtxoci.dll
2007-02-01 08:31 66,560 --a------ C:\WINDOWS\SYSTEM32\mtxclu.dll
2007-02-01 08:31 63,248 --a------ C:\WINDOWS\SYSTEM32\javaprxy.dll
2007-02-01 08:31 625,152 --a------ C:\WINDOWS\SYSTEM32\catsrvut.dll
2007-02-01 08:31 60,416 --a------ C:\WINDOWS\SYSTEM32\colbact.dll
2007-02-01 08:31 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-02-01 08:31 581,120 --a------ C:\WINDOWS\SYSTEM32\rpcrt4.dll
2007-02-01 08:31 540,160 --a------ C:\WINDOWS\SYSTEM32\comuid.dll
2007-02-01 08:31 49,424 --a------ C:\WINDOWS\SYSTEM32\clspack.exe
2007-02-01 08:31 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-02-01 08:31 426,496 --a------ C:\WINDOWS\SYSTEM32\msdtcprx.dll
2007-02-01 08:31 404,752 --a------ C:\WINDOWS\SYSTEM32\javart.dll
2007-02-01 08:31 397,824 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll
2007-02-01 08:31 313,856 --a------ C:\WINDOWS\SYSTEM32\dx3j.dll
2007-02-01 08:31 286,992 --a------ C:\WINDOWS\SYSTEM32\vmhelper.dll
2007-02-01 08:31 243,200 --a------ C:\WINDOWS\SYSTEM32\es.dll
2007-02-01 08:31 225,792 --a------ C:\WINDOWS\SYSTEM32\catsrv.dll
2007-02-01 08:31 21,264 --a------ C:\WINDOWS\SYSTEM32\msjdbc10.dll
2007-02-01 08:31 187,152 --a------ C:\WINDOWS\SYSTEM32\javacypt.dll
2007-02-01 08:31 172,304 --a------ C:\WINDOWS\SYSTEM32\jview.exe
2007-02-01 08:31 171,792 --a------ C:\WINDOWS\SYSTEM32\wjview.exe
2007-02-01 08:31 171,280 --a------ C:\WINDOWS\SYSTEM32\jit.dll
2007-02-01 08:31 161,280 --a------ C:\WINDOWS\SYSTEM32\msdtcuiu.dll
2007-02-01 08:31 154,384 --a------ C:\WINDOWS\SYSTEM32\msawt.dll
2007-02-01 08:31 15,120 --a------ C:\WINDOWS\SYSTEM32\jdbgmgr.exe
2007-02-01 08:31 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2007-02-01 08:31 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2007-02-01 08:31 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2007-02-01 08:31 110,080 --a------ C:\WINDOWS\SYSTEM32\clbcatex.dll
2007-02-01 08:31 101,376 --a------ C:\WINDOWS\SYSTEM32\txflog.dll
2007-02-01 08:31 1,285,120 --a------ C:\WINDOWS\SYSTEM32\ole32.dll
2007-02-01 08:31 1,267,200 --a------ C:\WINDOWS\SYSTEM32\comsvcs.dll
2007-02-01 08:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-02-01 08:10 <DIR> d-------- C:\Program Files\Registry Mechanic
2007-02-01 07:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-02-01 07:29 8,192 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-02-01 07:29 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-02-01 07:29 438,784 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-02-01 07:29 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-02-01 07:28 351,232 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-02-01 02:26 465,176 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-02-01 02:26 41,240 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-02-01 02:26 194,328 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll
2007-02-01 02:26 18,200 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-02-01 02:26 172,312 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe
2007-02-01 02:26 127,256 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-02-01 02:23 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-02-01 02:22 <DIR> d---s---- C:\DOCUME~1\MATTG~1\UserData
2007-02-01 01:48 <DIR> d-------- C:\Program Files\STOPzilla!
2007-02-01 01:48 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-02-01 01:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\ZILLAbar
2007-02-01 01:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\STOPzilla!
2007-02-01 01:15 49,152 --a------ C:\WINDOWS\SYSTEM32\socks_dll.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-10 15:23 503296 --a------ C:\WINDOWS\SYSTEM32\winlogon.exe
2007-02-06 08:13 -------- d---s---- C:\DOCUME~1\Ken\Application Data\microsoft
2007-02-06 01:37 -------- d-------- C:\Program Files\messenger
2007-02-01 23:59 -------- d-------- C:\Program Files\movie maker
2007-02-01 23:48 -------- d-------- C:\Program Files\windows nt
2007-02-01 02:27 -------- d--h----- C:\Program Files\windowsupdate
2007-02-01 02:26 28835 --a------ C:\WINDOWS\SYSTEM32\nvmodes.dat
2007-01-04 13:08 -------- d-------- C:\Program Files\lavasoft
2007-01-04 13:08 -------- d-------- C:\DOCUME~1\Ken\Application Data\lavasoft
2006-12-07 17:02 2174976 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"GoGoTray.exe"="C:\\Program Files\\GoGoData.com\\GoGoData Toolbar\\GoGoTray.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PCTVOICE"="pctspk.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"DadApp"="C:\\WINDOWS\\SYSTEM32\\Drivers\\dadapp.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""
"nwiz"="nwiz.exe /installquiet"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-13 21:11:46
C:\ComboFix2.txt ... 07-02-11 20:14






HJT:


Logfile of HijackThis v1.99.1
Scan saved at 9:15:16 PM, on 2/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\DOCUME~1\Ken\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\Ken\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ken\Desktop\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\a4246a739538de4092ff4efee1ce6dd7\update\update.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\System32\ipv6mote.dll (file missing)
O2 - BHO: Still Image - {3C657AAF-22D9-5A16-E17D-31457D631863} - (no file)
O2 - BHO: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [GoGoTray.exe] C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra 'Tools' menuitem: GoGoData AdBuster - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170314595386
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Many Thanks,

KMM

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 February 2007 - 08:51 PM

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\System32\ipv6mote.dll (file missing)
O2 - BHO: Still Image - {3C657AAF-22D9-5A16-E17D-31457D631863} - (no file)
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

Close ALL windows and browsers except HijackThis and click "Fix checked"


Empty Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 KMM

KMM

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 13 February 2007 - 09:13 PM

I guess telling you how the computer was running might have been an important piece of information to include. :) I guess I was too excited about the the scan working.

The computer seems to be working fine now. My homepage was reset right after the last combofix, but it was reset to msn.com. Is that just the default?

I can't thank you enough.

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:29 PM, on 2/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ken\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www3.esu.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [GoGoTray.exe] C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra 'Tools' menuitem: GoGoData AdBuster - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170314595386
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 February 2007 - 09:18 PM

My homepage was reset right after the last combofix, but it was reset to msn.com. Is that just the default?

Yes. You can make it whatever you want.

It looks like you are running 2 anti-virus programs. That can cause all kinds of problems.


1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove either
Avast4
or
Network Associates (McAfee)

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#11 KMM

KMM

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 13 February 2007 - 09:40 PM

Will do, and thanks so much again. KMM

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 February 2007 - 09:41 PM

You can remove any programs I had you install

Log looks good :D


You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.



If you dont have any programs like these, I would recommend that you get them.
Spywareblaster,
Spywareguard.


Also get a FREE FIREWALL and FREE ANTI VIRUS if you need one.

Only run one Anti-Virus and Firewall program.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Do not use Ad-aware if you have McAfee's VirusScan and AntiSpyware


Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#13 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 18 February 2007 - 07:31 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·