HELP - Something's hijacked the pc (ultimate cleaner 2007?)

Hi guys,

I have no idea how but I have some spyware or malware on my pc. My wallpaper has changed to red and says "your privacy is in danger" with a sort of 4 circle symbol (looks like a danger for nuclear waste)

3 shortcuts have appeared on the desktop called Error cleaner, privacy detector and spyware & Malware protection.

I'm constantly getting pop ups saying stuff like pc is at risk, click yes to fix. Not clicked yes or downloaded anything from these prompts.

My home page has been taken over and it now takes me here although I'm not sure if you should click on it!
http://securepccleaner.com/privacy/index.php?045a420d46164a52096a5302073d4d0e3a535e6d04524a0245080b410b54585856155156475c48433b0403515c550d56530106

Really need help to remove this pest. Had a look on google and downloaded a spyware doctor tool that was on a forum to remove but it's not free.

Please, any help would be greatly appreciated. I'm not particularly techie but can find my way around without too much bother to remove files etc.

PS - I also have Norton and a full system scan isn't even detecting this problem. I'm on XP Home, windows SP2
Love MSE, Las Vegas and chocolate!
«134

Comments

  • Download ComboFix from either of these links:

    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Double click Combofix.exe & follow the prompts.

    When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.



    Can you also post a HijackThis log generated after ComboFix has been run please.

    Download HJTInstall.exe to your desktop.
    • Double-click HJTInstall.exe icon on your desktop to start the installation.
    • By default it will install to C:\Program Files\Trend Micro\Hijack This.
    • Click the Install button and HijackThis will launch automatically.
    • Click the Scan button to generate a HijackThis log and then click Save Log to open it as a text file.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back to this thread and Paste the log (Ctrl+V) in your next reply.
  • mookybargirl
    mookybargirl Posts: 1,380 Forumite
    Here's the whole log; looks a bit scary - lol

    ComboFix 07-08-09.3 - "Home" 2007-08-12 21:48:23.1 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.553 [GMT 1:00]
    * Created a new restore point

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    C:\DOCUME~1\Home\Desktop.\internet explorer.lnk
    C:\DOCUME~1\Home\Desktop.\Spyware&Malware Protection.url
    C:\DOCUME~1\Home\Desktop\Error Cleaner.url
    C:\DOCUME~1\Home\Desktop\Privacy Protector.url
    C:\DOCUME~1\Home\FAVORI~1.\Error Cleaner.url
    C:\DOCUME~1\Home\FAVORI~1.\Privacy Protector.url
    C:\DOCUME~1\Home\FAVORI~1.\Spyware&Malware Protection.url
    C:\WINDOWS\dat.txt
    C:\WINDOWS\main_uninstaller.exe
    C:\WINDOWS\privacy_danger
    C:\WINDOWS\privacy_danger\images\capt.gif
    C:\WINDOWS\privacy_danger\images\danger.jpg
    C:\WINDOWS\privacy_danger\images\down.gif
    C:\WINDOWS\privacy_danger\images\spacer.gif
    C:\WINDOWS\privacy_danger\index.htm

    ((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))

    2007-08-12 21:47 51,200 --a
    C:\WINDOWS\nircmd.exe
    2007-08-12 21:27 <DIR> d
    C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
    2007-08-12 21:17 626,688 --a
    C:\WINDOWS\system32\msvcr80.dll
    2007-08-12 21:17 <DIR> d
    C:\Program Files\Spyware Doctor
    2007-08-12 11:29 221,184 --a
    C:\WINDOWS\wmpconf.dll
    2007-08-12 11:29 200,704 --a
    C:\WINDOWS\wmpenv.dll
    2007-08-12 11:29 188,416 --a
    C:\WINDOWS\duocore.dll
    2007-07-31 07:56 22,112 -ra
    C:\WINDOWS\system32\drivers\COH_Mon.sys

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2007-08-12 21:22 12 --a
    C:\WINDOWS\bthservsdp.dat
    2007-05-16 16:12 86528
    C:\WINDOWS\system32\dllcache\directdb.dll
    2007-05-16 16:12 85504
    C:\WINDOWS\system32\dllcache\wabimp.dll
    2007-05-16 16:12 683520 --a
    C:\WINDOWS\system32\inetcomm.dll
    2007-05-16 16:12 683520
    C:\WINDOWS\system32\dllcache\inetcomm.dll
    2007-05-16 16:12 510976
    C:\WINDOWS\system32\dllcache\wab32.dll
    2007-05-16 16:12 1314816
    C:\WINDOWS\system32\dllcache\msoe.dll
    2007-05-11 20:02 19784 --a
    C:\DOCUME~1\Home\APPLIC~1\GDIPFONTCACHEV1.DAT
    2004-06-18 10:05 45056 --a
    C:\WINDOWS\inf\Slntinst.exe
    2003-08-22 10:09 45056 --a
    C:\WINDOWS\inf\slntinst_staticW2k.exe

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\!!47C54F02-1B28-45F1-AE46-B5CDFB6E7926}]
    2007-08-11 16:00 188416 --a
    C:\WINDOWS\duocore.dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2003-08-15 08:34 C:\WINDOWS\SOUNDMAN.EXE]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
    "mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-10 13:25]
    "SupaDial"="C:\Program Files\SupaDial\SupaDial.exe" []
    "VTTimer"="VTTimer.exe" []
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-03-03 10:29]
    "nwiz"="nwiz.exe" [2004-03-03 10:29 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-03-03 10:29]
    "CARPService"="carpserv.exe" [2003-06-11 11:54 C:\WINDOWS\system32\carpserv.exe]
    "PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2004-05-11 23:20]
    "Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2004-02-24 12:17]
    "Norton"="C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe" [2004-02-24 21:53]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-06 10:24]
    "BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 21:21 C:\WINDOWS\system32\BtUsrBdg.exe]
    "BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 09:48 C:\WINDOWS\system32\BTSetBootKey.exe]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 C:\WINDOWS\system32\bthprops.cpl]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
    "Motive SmartBridge"="C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 18:52]
    "btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2005-12-29 10:22]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
    "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-12 22:06]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37]
    "Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= [URL]file:///C:\WINDOWS\privacy_danger\index.htm[/URL]
    FriendlyName= Privacy Protection
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "wmpenv"= !!32B35593-9048-486D-9636-A34EAA1CA98C} - C:\WINDOWS\wmpenv.dll [2007-08-11 16:00 200704]
    "wmpconf"= {ACE73026-6604-4370-AA63-791B1D6FA1CA} - C:\WINDOWS\wmpconf.dll [2007-08-11 16:00 221184]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
    c:\windows\system32\sbijsnu.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zojypku]
    c:\windows\system32\sbijsnu.exe
    R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys
    R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
    R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
    R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
    R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
    R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
    R3 ASNDIS5;ASNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ASNDIS5.SYS
    R3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
    R3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
    R3 MRENDIS5;MRENDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
    R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
    R3 Tunx00;FunTV Video Capture;C:\WINDOWS\system32\DRIVERS\Tunx00.sys
    R3 TxTuner;FunTV TV Tuner;C:\WINDOWS\system32\DRIVERS\TxTuner.sys
    R3 USB_RNDIS;USB Remote NDIS Network Device Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys
    R3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys
    S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
    S3 BTHMODEM;Bluetooth Serial Communications Driver;C:\WINDOWS\system32\DRIVERS\bthmodem.sys
    S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
    S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
    S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
    S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
    S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
    S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
    S3 jfdcd;jfdcd;\??\C:\DOCUME~1\Home\LOCALS~1\Temp\jfdcd.sys
    S3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys
    S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys
    S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
    S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
    S3 viagfx;viagfx;C:\WINDOWS\system32\DRIVERS\vtmini.sys
    S3 W8100PCI;Marvell Libertas 802.11b/g Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\mrv8k51.sys
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs BthServ
    *Newly Created Service* - COMHOST
    Contents of the 'Scheduled Tasks' folder
    2007-06-01 19:00:12 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Home.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
    **************************************************************************
    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-08-12 21:50:04
    Windows 5.1.2600 Service Pack 2 FAT NTAPI
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    Completion time: 2007-08-12 21:50:48
    C:\ComboFix-quarantined-files.txt ... 2007-08-12 21:50
    --- E O F ---
    Love MSE, Las Vegas and chocolate!
  • And the HijackThis log?
  • mookybargirl
    mookybargirl Posts: 1,380 Forumite
    Sorry - I just re-read your reply - I thought it was a choice, not to do both - here's the other log (thanks again for your help)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:12:57, on 12/08/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\CyberLink\PowerCinema\PCMService.exe
    C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
    C:\WINDOWS\system32\BtUsrBdg.exe
    C:\WINDOWS\system32\BTSetBootKey.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
    C:\Program Files\btbb_wcm\McciTrayApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiny.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - !!1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
    O2 - BHO: MSVPS System - !!47C54F02-1B28-45F1-AE46-B5CDFB6E7926} - C:\WINDOWS\duocore.dll
    O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Show Norton Toolbar - !!90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
    O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
    O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
    O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
    O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
    O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: FHM - !!76028735-BBF1-4044-8DE2-5B90F0C7A77C} - D:\Program Files\FHM\GameClient.exe (file missing)
    O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - D:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - D:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
    O16 - DPF: !!5554A026-7282-4C11-A8F1-652D0599CD02} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/OpiStat_preinstaller_activex_en_4.60.63.0_MEGAPANEL_EUROPE_SILENT.cab
    O16 - DPF: !!77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Installs/SURVEYS.COM%20PROMPTCAST%20SETUP.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/mpp_236/webolr/OCX/FlashAX.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O21 - SSODL: wmpenv - !!32B35593-9048-486D-9636-A34EAA1CA98C} - C:\WINDOWS\wmpenv.dll
    O21 - SSODL: wmpconf - {ACE73026-6604-4370-AA63-791B1D6FA1CA} - C:\WINDOWS\wmpconf.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
    O24 - Desktop Component 0: Privacy Protection - [URL]file:///C:\WINDOWS\privacy_danger\index.htm[/URL]
    --
    End of file - 10825 bytes
    Love MSE, Las Vegas and chocolate!
  • These are new variants of Privacy Protector and a fix for this is due to be released by Subs in the next day or so.

    O21 - SSODL: wmpenv - !!32B35593-9048-486D-9636-A34EAA1CA98C} - C:\WINDOWS\wmpenv.dll
    O21 - SSODL: wmpconf - {ACE73026-6604-4370-AA63-791B1D6FA1CA} - C:\WINDOWS\wmpconf.dll
  • Scan with HijackThis and place a checkmark in the boxes before the following entries:-

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
    O2 - BHO: MSVPS System - !!47C54F02-1B28-45F1-AE46-B5CDFB6E7926} - C:\WINDOWS\duocore.dll
    O16 - DPF: !!5554A026-7282-4C11-A8F1-652D0599CD02} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d...OPE_SILENT.cab
    O16 - DPF: !!77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/In...ST%20SETUP.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/mp...CX/FlashAX.cab
    O21 - SSODL: wmpenv - !!32B35593-9048-486D-9636-A34EAA1CA98C} - C:\WINDOWS\wmpenv.dll
    O21 - SSODL: wmpconf - {ACE73026-6604-4370-AA63-791B1D6FA1CA} - C:\WINDOWS\wmpconf.dll
    O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


    Close all other windows except HijackThis and click the "Fix Checked" button.



    Then open notepad (Start > Run and type notepad) and copy/paste the text in the code box below to it:
    File::
    C:\WINDOWS\wmpconf.dll
    C:\WINDOWS\wmpenv.dll
    C:\WINDOWS\duocore.dll
    
    
    Save this as "CFScript"

    CFScript.gif

    Refering to the picture above, drag CFScript into ComboFix.exe


    Run ComboFix again and post the resultant log file please with a fresh HJT log again.

    :)
  • These are new variants of Privacy Protector and a fix for this is due to be released by Subs in the next day or so.

    O21 - SSODL: wmpenv - !!32B35593-9048-486D-9636-A34EAA1CA98C} - C:\WINDOWS\wmpenv.dll
    O21 - SSODL: wmpconf - {ACE73026-6604-4370-AA63-791B1D6FA1CA} - C:\WINDOWS\wmpconf.dll


    Thats great news, for the time being we'll just add them to ComboFix manually.
  • mookybargirl
    mookybargirl Posts: 1,380 Forumite
    Done, here's the combofix log, my pc restarted in the middle - I assume that was normal - running the HJT now - be back in a sec.....

    ComboFix 07-08-09.3 - "Home" 2007-08-12 22:54:52.2 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.606 [GMT 1:00]
    Command switches used :: C:\Documents and Settings\Home\Desktop\CFScript.txt
    * Created a new restore point
    FILE::
    C:\WINDOWS\wmpconf.dll
    C:\WINDOWS\wmpenv.dll
    C:\WINDOWS\duocore.dll

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    C:\DOCUME~1\Home\FAVORI~1.\Error Cleaner.url
    C:\DOCUME~1\Home\FAVORI~1.\Privacy Protector.url
    C:\DOCUME~1\Home\FAVORI~1.\Spyware&Malware Protection.url
    C:\WINDOWS\dat.txt
    C:\WINDOWS\duocore.dll
    C:\WINDOWS\main_uninstaller.exe
    C:\WINDOWS\privacy_danger
    C:\WINDOWS\privacy_danger\images\capt.gif
    C:\WINDOWS\privacy_danger\images\danger.jpg
    C:\WINDOWS\privacy_danger\images\down.gif
    C:\WINDOWS\privacy_danger\images\spacer.gif
    C:\WINDOWS\privacy_danger\index.htm
    C:\WINDOWS\wmpconf.dll
    C:\WINDOWS\wmpenv.dll

    ((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))

    2007-08-12 22:12 <DIR> d
    C:\Program Files\Trend Micro
    2007-08-12 21:47 51,200 --a
    C:\WINDOWS\nircmd.exe
    2007-08-12 21:27 <DIR> d
    C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
    2007-08-12 21:17 626,688 --a
    C:\WINDOWS\system32\msvcr80.dll
    2007-07-31 07:56 22,112 -ra
    C:\WINDOWS\system32\drivers\COH_Mon.sys

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2007-08-12 22:56 12 --a
    C:\WINDOWS\bthservsdp.dat
    2007-05-16 16:12 86528
    C:\WINDOWS\system32\dllcache\directdb.dll
    2007-05-16 16:12 85504
    C:\WINDOWS\system32\dllcache\wabimp.dll
    2007-05-16 16:12 683520 --a
    C:\WINDOWS\system32\inetcomm.dll
    2007-05-16 16:12 683520
    C:\WINDOWS\system32\dllcache\inetcomm.dll
    2007-05-16 16:12 510976
    C:\WINDOWS\system32\dllcache\wab32.dll
    2007-05-16 16:12 1314816
    C:\WINDOWS\system32\dllcache\msoe.dll
    2007-05-11 20:02 19784 --a
    C:\DOCUME~1\Home\APPLIC~1\GDIPFONTCACHEV1.DAT
    2004-06-18 10:05 45056 --a
    C:\WINDOWS\inf\Slntinst.exe
    2003-08-22 10:09 45056 --a
    C:\WINDOWS\inf\slntinst_staticW2k.exe

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2003-08-15 08:34 C:\WINDOWS\SOUNDMAN.EXE]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
    "mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-10 13:25]
    "SupaDial"="C:\Program Files\SupaDial\SupaDial.exe" []
    "VTTimer"="VTTimer.exe" []
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-03-03 10:29]
    "nwiz"="nwiz.exe" [2004-03-03 10:29 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-03-03 10:29]
    "CARPService"="carpserv.exe" [2003-06-11 11:54 C:\WINDOWS\system32\carpserv.exe]
    "PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2004-05-11 23:20]
    "Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2004-02-24 12:17]
    "Norton"="C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe" [2004-02-24 21:53]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-06 10:24]
    "BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 21:21 C:\WINDOWS\system32\BtUsrBdg.exe]
    "BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 09:48 C:\WINDOWS\system32\BTSetBootKey.exe]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 C:\WINDOWS\system32\bthprops.cpl]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
    "Motive SmartBridge"="C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 18:52]
    "btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2005-12-29 10:22]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
    "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-12 22:06]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37]
    "Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "wmpenv"= {ED694E48-0780-4EE4-89AA-05E1F1EA2E76} - C:\WINDOWS\wmpenv.dll [ ]
    "wmpconf"= !!236DF90B-CCFC-43AE-B92D-270620D98909} - C:\WINDOWS\wmpconf.dll [ ]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
    c:\windows\system32\sbijsnu.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zojypku]
    c:\windows\system32\sbijsnu.exe
    R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys
    R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
    R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
    R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
    R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
    R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
    R3 ASNDIS5;ASNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ASNDIS5.SYS
    R3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
    R3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
    R3 MRENDIS5;MRENDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
    R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
    R3 Tunx00;FunTV Video Capture;C:\WINDOWS\system32\DRIVERS\Tunx00.sys
    R3 TxTuner;FunTV TV Tuner;C:\WINDOWS\system32\DRIVERS\TxTuner.sys
    R3 USB_RNDIS;USB Remote NDIS Network Device Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys
    R3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys
    S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
    S3 BTHMODEM;Bluetooth Serial Communications Driver;C:\WINDOWS\system32\DRIVERS\bthmodem.sys
    S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
    S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
    S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
    S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
    S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
    S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
    S3 jfdcd;jfdcd;\??\C:\DOCUME~1\Home\LOCALS~1\Temp\jfdcd.sys
    S3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys
    S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys
    S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
    S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
    S3 viagfx;viagfx;C:\WINDOWS\system32\DRIVERS\vtmini.sys
    S3 W8100PCI;Marvell Libertas 802.11b/g Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\mrv8k51.sys
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs BthServ
    *Newly Created Service* - ASNDIS5
    *Newly Created Service* - COMHOST
    Contents of the 'Scheduled Tasks' folder
    2007-06-01 19:00:12 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Home.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
    **************************************************************************
    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-08-12 22:58:08
    Windows 5.1.2600 Service Pack 2 FAT NTAPI
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    Completion time: 2007-08-12 22:59:05 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-08-12 22:59
    C:\ComboFix2.txt ... 2007-08-12 21:50
    --- E O F ---
    Love MSE, Las Vegas and chocolate!
  • mookybargirl
    mookybargirl Posts: 1,380 Forumite
    The hjt log; no pop ups so far - what's next?

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:02:11, on 12/08/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\CyberLink\PowerCinema\PCMService.exe
    C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
    C:\WINDOWS\system32\BtUsrBdg.exe
    C:\WINDOWS\system32\BTSetBootKey.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
    C:\Program Files\btbb_wcm\McciTrayApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiny.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - !!1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
    O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Show Norton Toolbar - !!90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
    O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
    O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
    O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
    O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
    O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: FHM - !!76028735-BBF1-4044-8DE2-5B90F0C7A77C} - D:\Program Files\FHM\GameClient.exe (file missing)
    O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - D:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - D:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O21 - SSODL: wmpenv - {ED694E48-0780-4EE4-89AA-05E1F1EA2E76} - C:\WINDOWS\wmpenv.dll (file missing)
    O21 - SSODL: wmpconf - !!236DF90B-CCFC-43AE-B92D-270620D98909} - C:\WINDOWS\wmpconf.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
    --
    End of file - 9884 bytes
    Love MSE, Las Vegas and chocolate!
  • It would appear you've unwittingly downloaded more nasties between posts.

    Scan with HijackThis and place a checkmark in the boxes before the following entries:-

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
    O21 - SSODL: wmpenv - {ED694E48-0780-4EE4-89AA-05E1F1EA2E76} - C:\WINDOWS\wmpenv.dll (file missing)
    O21 - SSODL: wmpconf - !!236DF90B-CCFC-43AE-B92D-270620D98909} - C:\WINDOWS\wmpconf.dll (file missing)


    Close all other windows except HijackThis and click the "Fix Checked" button.


    Restart and post a fresh HJT log for me please.


    Can you also run a search for this file using Windows Explorer:

    c:\windows\system32\sbijsnu.exe

    Ensure you have re-configured Windows Explorer to Show Hidden Files & Folders before searching.

    Let me know if you find it. You currently have a malicious entry disabled from running at startup in msconfig.


    Is there any reason why you haven't updated IE to version 7? IE7 is much more secure than IE6. A visit to Windows Update site is in order.


    I've got to hit the sack now but I'll check back tomorrow night when I get home from work.

    AS
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 349.9K Banking & Borrowing
  • 252.6K Reduce Debt & Boost Income
  • 453K Spending & Discounts
  • 242.8K Work, Benefits & Business
  • 619.6K Mortgages, Homes & Bills
  • 176.4K Life & Family
  • 255.7K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.