sorry, had to fix the formatting of the previous post.
here's the new log.
Logfile of HijackThis v1.99.1
Scan saved at 12:12:13 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
When finished, it will produce a logfile located at C:\ComboFix.txt.
Post the contents of that log in your next reply with a new hijackthis log.
***Note*** Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix
Most recently updated HJT log after running combofix.
Logfile of HijackThis v1.99.1
Scan saved at 12:45:56 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Quote: # Double click on
combo.exe & follow the prompts.
# When finished, it
will produce a logfile located at C:\ComboFix.txt.
#
Post the contents of that log in your next reply with a new hijackthis log.
When the installation completes successfully, reboot the computer.
Please uninstall the following software:
WinAntiSpyware 2007 Free WinPop
Click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program names and click
Remove. Reboot the computer when finished uninstalling.
Please download the
KILLBOX to your desktop.
DO NOTHING ELSE WITH IT YET
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please remember to post the contents of C:\vundofix.txt on your next reply.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Open killbox.exe. First click on Tools-->Delete Temp Files. A box will open with a list of all user profiles.
Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.
Temporary Internet Files
Temp Files
XP Prefetch
If you want to clean your cookies, history, and list of recent files run you may check those boxes as well. Next, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)".
Once back into the main killbox program, check the box
Delete on Reboot.
Highlight the entries below in
Bold text and then copy them.
C:\Program Files\WinPop\winpop.exe C:\WINDOWS\system32\jidmmqiw.exe C:\WINDOWS\system32\nnmsr.dll C:\Program Files\AIM\hokesodu83122.dll C:\WINDOWS\system32\iogayxq.dll C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\xmlhelper2.dll C:\DOCUME~1\Daniel\MYDOCU~1\CROSOF~1\chkntfs.exe C:\WINDOWS\??curity\n?tepad.exe C:\WINDOWS\system32\jidmmqiw.exe
Then in killbox click File-->Paste from Clipboard. Click the "All Files" button. Then click the
Red X ...and for the confirmation message that will appear, you will need to click
Yes.
A second message will ask to Reboot now? you will need to click
No for now.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the
Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.
Please run HijackThis again and check the following entries that may still exist:
R3 - URLSearchHook: (no name) - {ED2E03C1-EF5A-93D9-7BEC-BD9E8C4504C8} - (no file) O2 - BHO: (no name) - {316E6DF1-D73D-FCE4-181A-828DCD52839F} - C:\WINDOWS\system32\nnmsr.dll O2 - BHO: (no name) - {4C839E5B-AB45-4A60-AC0C-6AD7650F6305} - C:\Program Files\AIM\hokesodu83122.dll O2 - BHO: (no name) - {656839F1-8261-FAE9-4F1A-828DCD52839B} - C:\WINDOWS\system32\wym.dll (file missing) O2 - BHO: (no name) - {72433a60-33d4-48b0-bc42-27e0ec8c6dfd} - C:\WINDOWS\system32\CTM254.dll (file missing) O2 - BHO: (no name) - {7bd272d1-a018-416a-abce-98af159f3d5b} - C:\WINDOWS\system32\iogayxq.dll O2 - BHO: (no name) - {854F2B24-EFE6-4C72-95F0-30EA18E4CE95} - C:\WINDOWS\system32\ddccc.dll (file missing) O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: "C:\Program Files\WinAntiSpyware 2007\was7.exe" /min O4 - HKLM\..\Run: "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c O4 - HKLM\..\Run: "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe" O4 - HKCU\..\Run: "C:\DOCUME~1\Daniel\MYDOCU~1\CROSOF~1\chkntfs.exe" -vt yazb O4 - HKCU\..\Run: C:\WINDOWS\??curity\n?tepad.exe O4 - HKCU\..\Run: C:\Program Files\WinPop\winpop.exe O20 - Winlogon Notify: CTM254 - CTM254.dll (file missing) O23 - Service: DomainService - - C:\WINDOWS\system32\jidmmqiw.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Close all windows now except for the HijackThis application's window, then click the
Fix Checked button.
Reboot the computer.
Your Java application is out of date and causes a slight security risk as a result.
Please follow these steps to remove older version Java components
1. Close any open programs you may have running, especially your web browser.
2. Click Start-->Control Panel-->Add or Remove Programs.
For those just reading this thread: Depending on your OS, you may have to click Start-->Settings-->Control Panel-->Add or Remove Programs.
3. Click once on any item listing Java Runtime Environment in the name (to highlight it) then click the "Remove" or "Change/Remove" button.
Not every version of Java will begin with "Java" so be sure to read each entry in the list. Repeat step 3 as many times as necessary to remove all versions of Java.
**If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.
4. Navigate to and delete:
C:\Program Files\ Java =this folderif found
5. Then go to
this page.
Scroll down to where it says "Java Runtime Environment (JRE) 6u1 The Java SE Runtime Environment (JRE) allows end-users to run Java applications."and click the "Download" button to the right.
6. Check the box that says: "Accept License Agreement"
the page will refresh and click on the link to download Windows Offline Installation with or without Multi-language. Save it to your desktop.
Then from your desktop double-click on the executable to install the newest version. Reboot when the installation completes.
Please post back the following on your next reply:
Combofix log previously asked for...
Vundofix.txt
Fresh HijackThis log
1972vet
3.3K Posts
0
June 26th, 2007 02:00
DaveSinclair
3 Posts
0
June 26th, 2007 03:00
here's the new log.
Logfile of HijackThis v1.99.1
Scan saved at 12:12:13 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\svhost.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\DOCUME~1\Daniel\MYDOCU~1\CROSOF~1\chkntfs.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\jidmmqiw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\??curity\n?tepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R3 - URLSearchHook: (no name) - {ED2E03C1-EF5A-93D9-7BEC-BD9E8C4504C8} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {316E6DF1-D73D-FCE4-181A-828DCD52839F} - C:\WINDOWS\system32\nnmsr.dll
O2 - BHO: (no name) - {4C839E5B-AB45-4A60-AC0C-6AD7650F6305} - C:\Program Files\AIM\hokesodu83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {656839F1-8261-FAE9-4F1A-828DCD52839B} - C:\WINDOWS\system32\wym.dll (file missing)
O2 - BHO: (no name) - {72433a60-33d4-48b0-bc42-27e0ec8c6dfd} - C:\WINDOWS\system32\CTM254.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7bd272d1-a018-416a-abce-98af159f3d5b} - C:\WINDOWS\system32\iogayxq.dll
O2 - BHO: (no name) - {854F2B24-EFE6-4C72-95F0-30EA18E4CE95} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [WinAntiSpyware 2007 Free] "C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [Ueto] "C:\DOCUME~1\Daniel\MYDOCU~1\CROSOF~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [Kmfn] C:\WINDOWS\??curity\n?tepad.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: CTM254 - CTM254.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFuaWVs\command.exe (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\jidmmqiw.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
1972vet
3.3K Posts
0
June 26th, 2007 03:00
Save ComboFix to the desktop.
***Note***
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix
DaveSinclair
3 Posts
0
June 26th, 2007 03:00
Logfile of HijackThis v1.99.1
Scan saved at 12:45:56 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\jidmmqiw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R3 - URLSearchHook: (no name) - {ED2E03C1-EF5A-93D9-7BEC-BD9E8C4504C8} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {316E6DF1-D73D-FCE4-181A-828DCD52839F} - C:\WINDOWS\system32\nnmsr.dll
O2 - BHO: (no name) - {4C839E5B-AB45-4A60-AC0C-6AD7650F6305} - C:\Program Files\AIM\hokesodu83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {656839F1-8261-FAE9-4F1A-828DCD52839B} - C:\WINDOWS\system32\wym.dll (file missing)
O2 - BHO: (no name) - {72433a60-33d4-48b0-bc42-27e0ec8c6dfd} - C:\WINDOWS\system32\CTM254.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7bd272d1-a018-416a-abce-98af159f3d5b} - C:\WINDOWS\system32\iogayxq.dll
O2 - BHO: (no name) - {854F2B24-EFE6-4C72-95F0-30EA18E4CE95} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinAntiSpyware 2007 Free] "C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [Ueto] "C:\DOCUME~1\Daniel\MYDOCU~1\CROSOF~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [Kmfn] C:\WINDOWS\??curity\n?tepad.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: CTM254 - CTM254.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\jidmmqiw.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
1972vet
3.3K Posts
0
June 26th, 2007 09:00
# When finished, it will produce a logfile located at C:\ComboFix.txt.
# Post the contents of that log in your next reply with a new hijackthis log.
1972vet
3.3K Posts
0
June 27th, 2007 03:00
Your present issues are a direct result from having absolutely no protection on your system.
Please select and install One of these free antivirus applications:
AVG Free for Windows
AntiVir Personal Edition Classic
Avast! 4 Home Edition
After successful installation, please reboot the computer.
Please select and install one of these free Firewall applications:
ZoneAlarm Free Version
Outpost Free
Kerio
When the installation completes successfully, reboot the computer.
Please uninstall the following software:
WinAntiSpyware 2007 Free
WinPop
Click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program names and click Remove. Reboot the computer when finished uninstalling.
Please download the KILLBOX to your desktop.
DO NOTHING ELSE WITH IT YET
Please download VundoFix.exe to your desktop.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Open killbox.exe. First click on Tools-->Delete Temp Files. A box will open with a list of all user profiles.
Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.
Temporary Internet Files
Temp Files
XP Prefetch
If you want to clean your cookies, history, and list of recent files run you may check those boxes as well. Next, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)".
Once back into the main killbox program, check the box Delete on Reboot.
Highlight the entries below in Bold text and then copy them.
C:\Program Files\WinPop\winpop.exe
C:\WINDOWS\system32\jidmmqiw.exe
C:\WINDOWS\system32\nnmsr.dll
C:\Program Files\AIM\hokesodu83122.dll
C:\WINDOWS\system32\iogayxq.dll
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\xmlhelper2.dll
C:\DOCUME~1\Daniel\MYDOCU~1\CROSOF~1\chkntfs.exe
C:\WINDOWS\??curity\n?tepad.exe
C:\WINDOWS\system32\jidmmqiw.exe
Then in killbox click File-->Paste from Clipboard. Click the "All Files" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.
A second message will ask to Reboot now? you will need to click No for now.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.
Please run HijackThis again and check the following entries that may still exist:
R3 - URLSearchHook: (no name) - {ED2E03C1-EF5A-93D9-7BEC-BD9E8C4504C8} - (no file)
O2 - BHO: (no name) - {316E6DF1-D73D-FCE4-181A-828DCD52839F} - C:\WINDOWS\system32\nnmsr.dll
O2 - BHO: (no name) - {4C839E5B-AB45-4A60-AC0C-6AD7650F6305} - C:\Program Files\AIM\hokesodu83122.dll
O2 - BHO: (no name) - {656839F1-8261-FAE9-4F1A-828DCD52839B} - C:\WINDOWS\system32\wym.dll (file missing)
O2 - BHO: (no name) - {72433a60-33d4-48b0-bc42-27e0ec8c6dfd} - C:\WINDOWS\system32\CTM254.dll (file missing)
O2 - BHO: (no name) - {7bd272d1-a018-416a-abce-98af159f3d5b} - C:\WINDOWS\system32\iogayxq.dll
O2 - BHO: (no name) - {854F2B24-EFE6-4C72-95F0-30EA18E4CE95} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: "C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
O4 - HKLM\..\Run: "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKCU\..\Run: "C:\DOCUME~1\Daniel\MYDOCU~1\CROSOF~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: C:\WINDOWS\??curity\n?tepad.exe
O4 - HKCU\..\Run: C:\Program Files\WinPop\winpop.exe
O20 - Winlogon Notify: CTM254 - CTM254.dll (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\jidmmqiw.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Close all windows now except for the HijackThis application's window, then click the Fix Checked button.
Reboot the computer.
Your Java application is out of date and causes a slight security risk as a result.
Please follow these steps to remove older version Java components
1. Close any open programs you may have running, especially your web browser.
2. Click Start-->Control Panel-->Add or Remove Programs.
For those just reading this thread:
Depending on your OS, you may have to click Start-->Settings-->Control Panel-->Add or Remove Programs.
3. Click once on any item listing Java Runtime Environment in the name (to highlight it) then click the "Remove" or "Change/Remove" button.
Not every version of Java will begin with "Java" so be sure to read each entry in the list.
Repeat step 3 as many times as necessary to remove all versions of Java.
**If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.
4. Navigate to and delete:
- C:\Program Files\ Java =this folder if found
5. Then go to this page.Scroll down to where it says "Java Runtime Environment (JRE) 6u1
The Java SE Runtime Environment (JRE) allows end-users to run Java applications."and click the "Download" button to the right.
6. Check the box that says: "Accept License Agreement" the page will refresh and click on the link to download Windows Offline Installation with or without Multi-language. Save it to your desktop.
Then from your desktop double-click on the executable to install the newest version. Reboot when the installation completes.
Please post back the following on your next reply:
Combofix log previously asked for...
Vundofix.txt
Fresh HijackThis log