We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Browser keeps redirecting me to ads etc..
Comments
-
AntiVir 7.9.0.120 2009.03.20 TR/Dropper.Gen
Download and install AntiVir then do a fullscan and remove everything it finds http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&!!!!!button&cdlPid=11012914
Please also submit both the files to Malwarebytes http://uploads.malwarebytes.org/
and the one undected by Avira to Avira http://analysis.avira.com/samples/index.php0 -
Right. Thanks to you and Rik- I'm a bit of a novice at this..I shot a vein in my neck and coughed up a Quaalude.
Lou Reed The Last Shot0 -
Let us know how you get on
:idea:0 -
The PC is running a lot faster now- I used XP Black Portables to clean it up. I installed Avira and removed everything it suggested.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:20:38, on 21/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\All Users\Application Data\Wyyo\wyyo127.exe
C:\Program Files\Samsung\EmoDio\SMSTray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\documents and settings\admin\local settings\application data\gwyse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Wyyo\wyyo.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - !!02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - !!72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run:-
C:\Documents and Settings\All Users\Application Data\manager exit list active\ball poll.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [gwyse] "c:\documents and settings\admin\local settings\application data\gwyse.exe" gwyse
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - !!2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - !!2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - !!92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: !!30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O18 - Protocol: grooveLocalGWS - !!88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Wyyo Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Wyyo\wyyo127.exe
--
End of file - 7190 bytes
I shot a vein in my neck and coughed up a Quaalude.
Lou Reed The Last Shot0 -
That's a neat program:ComboFix 09-03-19.02 - Admin 2009-03-21 18:56:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.274 [GMT 0:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Admin\Local Settings\Application Data\gwyse.dat
c:\documents and settings\Admin\Local Settings\Application Data\gwyse.exe
c:\documents and settings\Admin\Local Settings\Application Data\gwyse_nav.dat
c:\documents and settings\Admin\Local Settings\Application Data\gwyse_navps.dat
.
((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.
2009-03-21 19:00 . 2009-03-21 19:00 <DIR> d
c:\windows\system32\xircom
2009-03-21 19:00 . 2009-03-21 19:00 <DIR> d
c:\windows\peernet
2009-03-21 19:00 . 2009-03-21 19:00 <DIR> d
c:\program files\microsoft frontpage
2009-03-21 15:14 . 2009-03-21 15:14 <DIR> d
c:\program files\Avira
2009-03-21 15:14 . 2009-03-21 15:14 <DIR> d
c:\documents and settings\All Users\Application Data\Avira
2009-03-21 15:14 . 2009-02-13 11:31 55,640 --a
c:\windows\system32\drivers\avgntflt.sys
2009-03-11 23:00 . 2009-03-11 23:00 <DIR> d
c:\program files\Any Video Converter
2009-03-11 23:00 . 2009-03-11 23:56 <DIR> d
c:\documents and settings\Admin\Application Data\Any Video Converter
2009-03-11 21:20 . 2009-03-11 21:20 3,082 --a
c:\windows\system32\affv300053706p4now.sys
2009-03-11 19:46 . 2009-03-18 14:16 <DIR> d
c:\program files\Wyyo
2009-03-11 19:46 . 2009-03-11 19:46 <DIR> d
c:\program files\Free Offers from Freeze.com
2009-03-11 19:46 . 2009-03-18 13:42 <DIR> d
c:\documents and settings\All Users\Application Data\Wyyo
2009-03-09 14:21 . 2009-03-09 14:21 <DIR> d
c:\documents and settings\All Users\Application Data\Last.fm
2009-03-09 14:20 . 2009-03-09 14:20 <DIR> d
c:\program files\Last.fm
2009-02-25 17:56 . 2009-02-25 17:57 <DIR> dr-h
c:\documents and settings\All Users\Application Data\yahoo!
2009-02-25 17:56 . 2009-02-25 17:56 <DIR> d
c:\documents and settings\Admin\Application Data\Yahoo!
2009-02-25 16:47 . 2009-02-25 16:47 <DIR> d
c:\program files\SUPERAntiSpyware
2009-02-25 16:47 . 2009-02-25 16:47 <DIR> d
c:\program files\Common Files\Wise Installation Wizard
2009-02-25 16:47 . 2009-02-25 16:47 <DIR> d
c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 16:47 . 2009-02-25 16:47 <DIR> d
c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2009-02-25 16:01 . 2009-02-25 16:01 <DIR> d
c:\program files\Malwarebytes' Anti-Malware
2009-02-25 16:01 . 2009-02-25 16:01 <DIR> d
c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-25 16:01 . 2009-02-25 16:01 <DIR> d
c:\documents and settings\Admin\Application Data\Malwarebytes
2009-02-25 16:01 . 2009-02-11 10:19 38,496 --a
c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 16:01 . 2009-02-11 10:19 15,504 --a
c:\windows\system32\drivers\mbam.sys
2009-02-25 15:06 . 2009-02-25 15:06 <DIR> d
c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 16:08
d
w c:\documents and settings\All Users\Application Data\manager exit list active
2009-03-16 22:52
d--h--w c:\program files\InstallShield Installation Information
2009-03-16 22:52
d
w c:\program files\COWON
2009-03-11 23:06
d
w c:\program files\MyFree Codec
2009-03-11 19:46
d
w c:\program files\ffdshow
2009-03-11 13:04 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-03-03 13:32
d
w c:\program files\Common Files\ArcSoft
2009-03-03 13:32
d
w c:\program files\ArcSoft
2009-02-26 08:37
d
w c:\documents and settings\Admin\Application Data\Panasonic
2009-02-25 17:57
d
w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-25 17:56
d
w c:\program files\Yahoo!
2009-02-25 13:32
d
w c:\program files\Common Files\Adobe
2009-02-02 08:23
d
w c:\documents and settings\Admin\Application Data\Uniblue
2008-05-09 07:05 0 -c--a-w c:\program files\temp01
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-07-11 223984]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSTray"="c:\program files\Samsung\EmoDio\SMSTray.exe" [2009-02-18 484888]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-07-11 223984]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-08-13 c:\windows\system32\advpack.dll]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-09-20 1200128]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"!!88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]
"!!5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf .\Appdata\Data\
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\JetAudio\\jetChat.exe"=
"c:\\Program Files\\JetAudio\\JcServer.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-21 108289]
R2 Wyyo Service;Wyyo Service;c:\documents and settings\All Users\Application Data\Wyyo\wyyo127.exe [2009-03-18 54752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
.
Contents of the 'Scheduled Tasks' folder
2009-03-21 c:\windows\Tasks\AD25E528918E97B4.job
- c:\docume~1\admin\applic~1\encvga\clock file audio.exe []
2008-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-602609370-682003330-1003.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:08]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-gwyse - c:\documents and settings\admin\local settings\application data\gwyse.exe
HKLM-Run-List active junk film - c:\documents and settings\All Users\Application Data\manager exit list active\ball poll.exe
HKU-Default-Run-Sidebar - c:\program files\Windows Sidebar\sidebar.exe
Notify-WgaLogon - (no file)
.
Supplementary Scan
.
uStart Page = hxxp://uk.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://uk.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\ydai5bwr.default\
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Opera 9\program\plugins\npdsplay.dll
FF - plugin: c:\program files\Opera 9\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\Opera 9\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Opera 9\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Opera 9\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Opera 9\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Opera 9\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Opera 9\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Opera 9\program\plugins\npwmsdrm.dll
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13); user_pref(general.useragent.extra.zencast, Creative ZENcast v2.01.01);user_pref(general.useragent.extra.zencast, .
.
File Associations
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 19:01:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Other Running Processes
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\wscntfy.exe
c:\program files\Wyyo\wyyo.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe
.
**************************************************************************
.
Completion time: 2009-03-21 19:05:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-21 19:05:21
Pre-Run: 8,716,500,992 bytes free
Post-Run: 8,666,783,744 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
201 --- E O F --- 2009-02-25 18:53:18I shot a vein in my neck and coughed up a Quaalude.
Lou Reed The Last Shot0 -
Can you please run a fresh hijack log too:idea:0
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:57, on 21/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\All Users\Application Data\Wyyo\wyyo127.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Wyyo\wyyo.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - !!02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - !!72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - !!2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - !!2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - !!92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: !!30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB7CAB5D-41D5-4415-BE42-96C2E643EDE1}: NameServer = 172.31.140.69 172.30.140.69
O18 - Protocol: grooveLocalGWS - !!88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Wyyo Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Wyyo\wyyo127.exe
--
End of file - 6170 bytesI shot a vein in my neck and coughed up a Quaalude.
Lou Reed The Last Shot0 -
I have to go out now.. Will check back later. Thanks, Rik..I shot a vein in my neck and coughed up a Quaalude.
Lou Reed The Last Shot0 -
Fix these on Hijackthis
C:\Program Files\Wyyo\wyyo.exe
O23 - Service: Wyyo Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Wyyo\wyyo127.exe
C:\Documents and Settings\All Users\Application Data\Wyyo\wyyo127.exe
After please upload the file to rapaid share http://www.rapidshare.com/ C:\Documents and Settings\All Users\Application Data\Wyyo\wyyo127.exe and C:\Program Files\Wyyo\wyyo.exe then send me the download link to it via pm then post a new hijackthis log and update and run a quick scan with Malwarebytes and post the logfile.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.3K Banking & Borrowing
- 253.7K Reduce Debt & Boost Income
- 454.4K Spending & Discounts
- 245.3K Work, Benefits & Business
- 601.1K Mortgages, Homes & Bills
- 177.6K Life & Family
- 259.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards