Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:57:25 AM, on 3/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal
Once it's done scanning, click the Fix Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
OK I ran that program and this is what Hijack has to say now
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:53:45 AM, on 3/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal
We are going to run Vundofix again, but change the instructions slightly.
Double Click VundoFix.exe to run the program
In the white open window Right Click and Select "Add more files?"
An Explorer window will open. Locate the files in listed below and Select "Open".
C:\WINDOWS\system32\nqcdptyx.dll
If there is more than one file listed, repeat the process until all the files listed are added.
If you are unable to find one of the files listed, manually type in the complete path and file name and Select "Open"
Right click in the open window and Select "Select all" (or manualy add check marks) in the boxes preceeeding the file names.
With the boxes all checked Select "Fix Vundo" Do Not Select "Scan for Vundo"
You will receive a prompt asking "Are you sure you want to remove these files?", click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot
Attempting to delete C:\WINDOWS\system32\envlmheo.dll C:\WINDOWS\system32\envlmheo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rlnpkmax.dll C:\WINDOWS\system32\rlnpkmax.dll Has been deleted!
Performing Repairs to the registry. Done!
VundoFix V7.0.3
Scan started at 10:24:08 AM 3/27/2008
Listing files found while scanning....
VundoFix V7.0.3
Scan started at 10:29:31 AM 3/27/2008
Listing files found while scanning....
No infected files were found.
Beginning removal...
Performing Repairs to the registry. Done!
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:50:01 PM, on 3/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal
1. We Need to temporarily disable SpyBotS&D Tea timer so it doesn't interfere with our fix
1) Run Spybot-S&D 2) Go to the Mode menu, and make sure "Advanced Mode" is selected 3) On the left hand side, choose Tools -> Resident 4) Uncheck "Resident TeaTimer" and OK any prompts 5) Restart your computer.
2. Rerun Hijackthis (scan only) and place checks beside the following entries
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:17:33 PM, on 3/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal
When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
Click on Start Scan.
after the scan completes it will produce a log for you, copy and paste the results of that scan as a reply to this thread
If any infections are found, (After you save the logfile), Click on Remove Infections.
Name: TrackingCookie.2o7 Path: C:\Documents and Settings\abrown\Cookies\abrown@2o7[1].txt Risk: Medium
Name: TrackingCookie.Yieldmanager Path: C:\Documents and Settings\abrown\Cookies\abrown@ad.yieldmanager[1].txt Risk: Medium
Name: TrackingCookie.Euroclick Path: C:\Documents and Settings\abrown\Cookies\abrown@adopt.euroclick[2].txt Risk: Medium
Name: TrackingCookie.Advertising Path: C:\Documents and Settings\abrown\Cookies\abrown@advertising[2].txt Risk: Medium
Name: TrackingCookie.Atdmt Path: C:\Documents and Settings\abrown\Cookies\abrown@atdmt[2].txt Risk: Medium
Name: TrackingCookie.Doubleclick Path: C:\Documents and Settings\abrown\Cookies\abrown@doubleclick[1].txt Risk: Medium
Name: TrackingCookie.Realmedia Path: C:\Documents and Settings\abrown\Cookies\abrown@realmedia[1].txt Risk: Medium
Name: TrackingCookie.Netflame Path: C:\Documents and Settings\abrown\Cookies\abrown@ssl-hints.netflame[2].txt Risk: Medium
Name: TrackingCookie.Trafficmp Path: C:\Documents and Settings\abrown\Cookies\abrown@trafficmp[1].txt Risk: Medium
Name: TrackingCookie.Zedo Path: C:\Documents and Settings\abrown\Cookies\abrown@zedo[1].txt Risk: Medium
Name: TrackingCookie.Atdmt Path: :mozilla.11:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Advertising Path: :mozilla.19:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Advertising Path: :mozilla.20:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Advertising Path: :mozilla.21:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Doubleclick Path: :mozilla.22:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Advertising Path: :mozilla.24:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Questionmarket Path: :mozilla.31:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Questionmarket Path: :mozilla.32:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Mediaplex Path: :mozilla.35:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Tribalfusion Path: :mozilla.41:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Realmedia Path: :mozilla.43:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Yieldmanager Path: :mozilla.50:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Yieldmanager Path: :mozilla.57:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Yieldmanager Path: :mozilla.58:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Yieldmanager Path: :mozilla.59:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Yieldmanager Path: :mozilla.60:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: TrackingCookie.Revsci Path: :mozilla.63:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt Risk: Medium
Name: Downloader.Wimad.l Path: C:\Documents and Settings\abrown\My Documents\My Music\07 Track 7 (lambert).wma Risk: High
Name: Dropper.VB.lu Path: C:\Documents and Settings\abrown\My Documents\My Music\Neato MediaFace v4.0.1.71.exe Risk: High
Name: Downloader.VB.bsa Path: C:\Documents and Settings\abrown\My Documents\My Music\Neato MediaFace v5.0.38.zip/Setup.exe Risk: High
Name: TrackingCookie.2o7 Path: C:\Documents and Settings\Debora\Cookies\debora@2o7[2].txt Risk: Medium
Name: TrackingCookie.Euroclick Path: C:\Documents and Settings\Debora\Cookies\debora@adopt.euroclick[2].txt Risk: Medium
Name: TrackingCookie.Adrevolver Path: C:\Documents and Settings\Debora\Cookies\debora@adrevolver[2].txt Risk: Medium
Name: TrackingCookie.Pointroll Path: C:\Documents and Settings\Debora\Cookies\debora@ads.pointroll[1].txt Risk: Medium
Name: TrackingCookie.Casalemedia Path: C:\Documents and Settings\Debora\Cookies\debora@casalemedia[2].txt Risk: Medium
Name: TrackingCookie.Doubleclick Path: C:\Documents and Settings\Debora\Cookies\debora@doubleclick[2].txt Risk: Medium
Name: TrackingCookie.Hitbox Path: C:\Documents and Settings\Debora\Cookies\debora@ehg-bmwna.hitbox[2].txt Risk: Medium
Name: TrackingCookie.Webtrends Path: C:\Documents and Settings\Debora\Cookies\debora@m.webtrends[2].txt Risk: Medium
Name: TrackingCookie.Starware Path: C:\Documents and Settings\Debora\Cookies\debora@starware[2].txt Risk: Medium
Name: TrackingCookie.Tradedoubler Path: C:\Documents and Settings\Debora\Cookies\debora@tradedoubler[1].txt Risk: Medium
Name: TrackingCookie.Tribalfusion Path: C:\Documents and Settings\Debora\Cookies\debora@tribalfusion[2].txt Risk: Medium
Name: TrackingCookie.Zedo Path: C:\Documents and Settings\Debora\Cookies\debora@zedo[2].txt Risk: Medium
Name: TrackingCookie.Webtrends Path: C:\Documents and Settings\ktalkington\Cookies\ktalkington@m.webtrends[2].txt Risk: Medium
Name: TrackingCookie.Msn Path: C:\Documents and Settings\ktalkington\Cookies\ktalkington@search.msn[1].txt Risk: Medium
Name: TrackingCookie.Enhance Path: C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt Risk: Medium
Name: TrackingCookie.Webtrends Path: C:\Documents and Settings\valadmin\Cookies\valadmin@m.webtrends[2].txt Risk: Medium
Name: TrackingCookie.Burstnet Path: C:\Documents and Settings\valadmin.VALIANT\Cookies\valadmin@burstnet[1].txt Risk: Medium
Name: TrackingCookie.Webtrends Path: C:\Documents and Settings\valadmin.VALIANT\Cookies\valadmin@m.webtrends[1].txt Risk: Medium
Name: Trojan.Small Path: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP331\A0046250.vbs Risk: High
The PC is still acting up it is still bogged down and I am still recieving the internet explorer pop ups of porn sites
Here is the new hijack log
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:53:36 AM, on 3/31/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
1.*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Download CCleaner from here to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced." deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
2. Rerun Hijackthis
At the main window Select " Open the Misc tool section" Then Select " Open ADS Spy" Uncheck " Quick scan" Then Scan If a log shows up in the window Select " Save log" and post it as a reply to this thread
bamajim
10.4K Posts
0
March 27th, 2008 00:00
The top portion of your Hijackthis log with the OS information got cut off. Rerun Hijackthis and post a fresh Log.
"The world is what you make of it"
angelbabie
18 Posts
0
March 27th, 2008 10:00
Oops! Here is a new run
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:25 AM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3E6725D0-4273-4CB7-ABBB-F89656B0BFC9} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: (no name) - {FC5D995C-D720-41AA-A7DB-8B0D7DE66F5A} - C:\WINDOWS\system32\ssqro.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickBooksDB18] C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\QBDBMgrN.exe -n QB_VAL020_18 -qs -gd ALL -gk all -gp 4096 -gu all -ch 512M -c 140M -x tcpip(BroadcastListener=NO;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "C:\Documents and Settings\abrown\Local Settings\Application Data\Intuit\QuickBooks\Log\DBStartup.log" -y
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [34e8bfad] rundll32.exe "C:\WINDOWS\system32\nqcdptyx.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143994144984
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Valiant.local
O17 - HKLM\Software\..\Telephony: DomainName = Valiant.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Valiant.local
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\program files\common files\protexis\license service\psiservice_2.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9104 bytes
bamajim
10.4K Posts
0
March 27th, 2008 12:00
Please download VundoFix.exe to your desktop.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
"The world is what you make of it"
angelbabie
18 Posts
0
March 27th, 2008 13:00
OK I ran that program and this is what Hijack has to say now
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:45 AM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\qbw32.exe
C:\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3E6725D0-4273-4CB7-ABBB-F89656B0BFC9} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: (no name) - {FC5D995C-D720-41AA-A7DB-8B0D7DE66F5A} - C:\WINDOWS\system32\ssqro.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickBooksDB18] C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\QBDBMgrN.exe -n QB_VAL020_18 -qs -gd ALL -gk all -gp 4096 -gu all -ch 512M -c 136M -x tcpip(BroadcastListener=NO;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "C:\Documents and Settings\abrown\Local Settings\Application Data\Intuit\QuickBooks\Log\DBStartup.log" -y
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [34e8bfad] rundll32.exe "C:\WINDOWS\system32\nqcdptyx.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143994144984
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Valiant.local
O17 - HKLM\Software\..\Telephony: DomainName = Valiant.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Valiant.local
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\program files\common files\protexis\license service\psiservice_2.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9316 bytes
angelbabie
18 Posts
0
March 27th, 2008 14:00
This is what I found
VundoFix V7.0.3
Scan started at 9:58:48 AM 3/27/2008
Listing files found while scanning....
C:\WINDOWS\system32\envlmheo.dll
C:\WINDOWS\system32\rlnpkmax.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\envlmheo.dll
C:\WINDOWS\system32\envlmheo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rlnpkmax.dll
C:\WINDOWS\system32\rlnpkmax.dll Has been deleted!
Performing Repairs to the registry.
Done!
bamajim
10.4K Posts
0
March 27th, 2008 14:00
angelbabie
When you ran Vundofix, it should have produced a log for you. It can be found at C:\Vundofix.txt
Locate, open and post the contents of that text file.
"The world is what you make of it"
bamajim
10.4K Posts
0
March 27th, 2008 17:00
We are going to run Vundofix again, but change the instructions slightly.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot
"The world is what you make of it"
angelbabie
18 Posts
0
March 27th, 2008 18:00
ok here it is
VundoFix V7.0.3
Scan started at 9:58:48 AM 3/27/2008
Listing files found while scanning....
C:\WINDOWS\system32\envlmheo.dll
C:\WINDOWS\system32\rlnpkmax.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\envlmheo.dll
C:\WINDOWS\system32\envlmheo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rlnpkmax.dll
C:\WINDOWS\system32\rlnpkmax.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V7.0.3
Scan started at 10:24:08 AM 3/27/2008
Listing files found while scanning....
VundoFix V7.0.3
Scan started at 10:29:31 AM 3/27/2008
Listing files found while scanning....
No infected files were found.
Beginning removal...
Performing Repairs to the registry.
Done!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:01 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3E6725D0-4273-4CB7-ABBB-F89656B0BFC9} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: (no name) - {FC5D995C-D720-41AA-A7DB-8B0D7DE66F5A} - C:\WINDOWS\system32\ssqro.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickBooksDB18] C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\QBDBMgrN.exe -n QB_VAL020_18 -qs -gd ALL -gk all -gp 4096 -gu all -ch 512M -c 136M -x tcpip(BroadcastListener=NO;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "C:\Documents and Settings\abrown\Local Settings\Application Data\Intuit\QuickBooks\Log\DBStartup.log" -y
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [34e8bfad] rundll32.exe "C:\WINDOWS\system32\nqcdptyx.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143994144984
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Valiant.local
O17 - HKLM\Software\..\Telephony: DomainName = Valiant.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Valiant.local
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\program files\common files\protexis\license service\psiservice_2.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9137 bytes
bamajim
10.4K Posts
0
March 27th, 2008 19:00
1. We Need to temporarily disable SpyBotS&D Tea timer so it doesn't interfere with our fix
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
2. Rerun Hijackthis (scan only) and place checks beside the following entries
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: (no name) - {FC5D995C-D720-41AA-A7DB-8B0D7DE66F5A} - C:\WINDOWS\system32\ssqro.dll (file missing)
O4 - HKLM\..\Run: [34e8bfad] rundll32.exe "C:\WINDOWS\system32\nqcdptyx.dll",b
Close all other open windows except Hijackthis and Select " Fix checked"
Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
"The world is what you make of it"
angelbabie
18 Posts
0
March 27th, 2008 19:00
Here it is
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:33 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickBooksDB18] C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\QBDBMgrN.exe -n QB_VAL020_18 -qs -gd ALL -gk all -gp 4096 -gu all -ch 512M -c 136M -x tcpip(BroadcastListener=NO;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "C:\Documents and Settings\abrown\Local Settings\Application Data\Intuit\QuickBooks\Log\DBStartup.log" -y
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143994144984
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Valiant.local
O17 - HKLM\Software\..\Telephony: DomainName = Valiant.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Valiant.local
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\program files\common files\protexis\license service\psiservice_2.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 8608 bytes
bamajim
10.4K Posts
0
March 30th, 2008 10:00
Almost there.
Please perform an Ewido Online Malware Scan
"The world is what you make of it"
bamajim
10.4K Posts
0
March 31st, 2008 13:00
angelbabie
Good work. Could I see one more fresh Hijackthis log and give me an update on how your PC is running now.
"The world is what you make of it"
angelbabie
18 Posts
0
March 31st, 2008 13:00
___Sorry It took so long but here it is
_______________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\abrown\Cookies\abrown@2o7[1].txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: C:\Documents and Settings\abrown\Cookies\abrown@ad.yieldmanager[1].txt
Risk: Medium
Name: TrackingCookie.Euroclick
Path: C:\Documents and Settings\abrown\Cookies\abrown@adopt.euroclick[2].txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: C:\Documents and Settings\abrown\Cookies\abrown@advertising[2].txt
Risk: Medium
Name: TrackingCookie.Atdmt
Path: C:\Documents and Settings\abrown\Cookies\abrown@atdmt[2].txt
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\abrown\Cookies\abrown@doubleclick[1].txt
Risk: Medium
Name: TrackingCookie.Realmedia
Path: C:\Documents and Settings\abrown\Cookies\abrown@realmedia[1].txt
Risk: Medium
Name: TrackingCookie.Netflame
Path: C:\Documents and Settings\abrown\Cookies\abrown@ssl-hints.netflame[2].txt
Risk: Medium
Name: TrackingCookie.Trafficmp
Path: C:\Documents and Settings\abrown\Cookies\abrown@trafficmp[1].txt
Risk: Medium
Name: TrackingCookie.Zedo
Path: C:\Documents and Settings\abrown\Cookies\abrown@zedo[1].txt
Risk: Medium
Name: TrackingCookie.Atdmt
Path: :mozilla.11:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.19:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.20:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.21:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: :mozilla.22:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.24:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Questionmarket
Path: :mozilla.31:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Questionmarket
Path: :mozilla.32:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Mediaplex
Path: :mozilla.35:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Tribalfusion
Path: :mozilla.41:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Realmedia
Path: :mozilla.43:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: :mozilla.50:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: :mozilla.57:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: :mozilla.58:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: :mozilla.59:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: :mozilla.60:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Revsci
Path: :mozilla.63:C:\Documents and Settings\abrown\Application Data\Mozilla\Firefox\Profiles\bka92od9.default\cookies.txt
Risk: Medium
Name: Downloader.Wimad.l
Path: C:\Documents and Settings\abrown\My Documents\My Music\07 Track 7 (lambert).wma
Risk: High
Name: Dropper.VB.lu
Path: C:\Documents and Settings\abrown\My Documents\My Music\Neato MediaFace v4.0.1.71.exe
Risk: High
Name: Downloader.VB.bsa
Path: C:\Documents and Settings\abrown\My Documents\My Music\Neato MediaFace v5.0.38.zip/Setup.exe
Risk: High
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Debora\Cookies\debora@2o7[2].txt
Risk: Medium
Name: TrackingCookie.Euroclick
Path: C:\Documents and Settings\Debora\Cookies\debora@adopt.euroclick[2].txt
Risk: Medium
Name: TrackingCookie.Adrevolver
Path: C:\Documents and Settings\Debora\Cookies\debora@adrevolver[2].txt
Risk: Medium
Name: TrackingCookie.Pointroll
Path: C:\Documents and Settings\Debora\Cookies\debora@ads.pointroll[1].txt
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: C:\Documents and Settings\Debora\Cookies\debora@casalemedia[2].txt
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\Debora\Cookies\debora@doubleclick[2].txt
Risk: Medium
Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\Debora\Cookies\debora@ehg-bmwna.hitbox[2].txt
Risk: Medium
Name: TrackingCookie.Webtrends
Path: C:\Documents and Settings\Debora\Cookies\debora@m.webtrends[2].txt
Risk: Medium
Name: TrackingCookie.Starware
Path: C:\Documents and Settings\Debora\Cookies\debora@starware[2].txt
Risk: Medium
Name: TrackingCookie.Tradedoubler
Path: C:\Documents and Settings\Debora\Cookies\debora@tradedoubler[1].txt
Risk: Medium
Name: TrackingCookie.Tribalfusion
Path: C:\Documents and Settings\Debora\Cookies\debora@tribalfusion[2].txt
Risk: Medium
Name: TrackingCookie.Zedo
Path: C:\Documents and Settings\Debora\Cookies\debora@zedo[2].txt
Risk: Medium
Name: TrackingCookie.Webtrends
Path: C:\Documents and Settings\ktalkington\Cookies\ktalkington@m.webtrends[2].txt
Risk: Medium
Name: TrackingCookie.Msn
Path: C:\Documents and Settings\ktalkington\Cookies\ktalkington@search.msn[1].txt
Risk: Medium
Name: TrackingCookie.Enhance
Path: C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
Risk: Medium
Name: TrackingCookie.Webtrends
Path: C:\Documents and Settings\valadmin\Cookies\valadmin@m.webtrends[2].txt
Risk: Medium
Name: TrackingCookie.Burstnet
Path: C:\Documents and Settings\valadmin.VALIANT\Cookies\valadmin@burstnet[1].txt
Risk: Medium
Name: TrackingCookie.Webtrends
Path: C:\Documents and Settings\valadmin.VALIANT\Cookies\valadmin@m.webtrends[1].txt
Risk: Medium
Name: Trojan.Small
Path: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP331\A0046250.vbs
Risk: High
Name: Not-A-Virus.Adware.TTC
Path: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP335\A0046550.dll
Risk: Low
Name: Trojan.Small
Path: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP340\A0046742.vbs
Risk: High
Name: Adware.Mirar
Path: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP342\A0046903.exe
Risk: Medium
Name: Downloader.VB.dht
Path: C:\WINDOWS\system32\aqVreo18\aqVreo182328.exe
Risk: High
Name: Not-A-Virus.Adware.TTC
Path: C:\WINDOWS\system32\usnv\pax89104.exe
Risk: Low
Name: Downloader.Small.buy
Path: C:\WINDOWS\system32\xTmp\v55api.exe
Risk: High
angelbabie
18 Posts
0
March 31st, 2008 13:00
The PC is still acting up it is still bogged down and I am still recieving the internet explorer pop ups of porn sites
Here is the new hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:36 AM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\qbw32.exe
C:\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickBooksDB18] C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\QBDBMgrN.exe -n QB_VAL020_18 -qs -gd ALL -gk all -gp 4096 -gu all -ch 512M -c 155M -x tcpip(BroadcastListener=NO;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "C:\Documents and Settings\abrown\Local Settings\Application Data\Intuit\QuickBooks\Log\DBStartup.log" -y
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143994144984
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Valiant.local
O17 - HKLM\Software\..\Telephony: DomainName = Valiant.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Valiant.local
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\program files\common files\protexis\license service\psiservice_2.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 8215 bytes
bamajim
10.4K Posts
0
March 31st, 2008 14:00
1. *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Download CCleaner from here to clean temp files from your computer.
2. Rerun Hijackthis
Then Select " Open ADS Spy"
Uncheck " Quick scan" Then Scan
If a log shows up in the window Select " Save log" and post
it as a reply to this thread
"The world is what you make of it"