We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
HELP - Something's hijacked the pc (ultimate cleaner 2007?)
mookybargirl
Posts: 1,380 Forumite
in Techie Stuff
Hi guys,
I have no idea how but I have some spyware or malware on my pc. My wallpaper has changed to red and says "your privacy is in danger" with a sort of 4 circle symbol (looks like a danger for nuclear waste)
3 shortcuts have appeared on the desktop called Error cleaner, privacy detector and spyware & Malware protection.
I'm constantly getting pop ups saying stuff like pc is at risk, click yes to fix. Not clicked yes or downloaded anything from these prompts.
My home page has been taken over and it now takes me here although I'm not sure if you should click on it!
http://securepccleaner.com/privacy/index.php?045a420d46164a52096a5302073d4d0e3a535e6d04524a0245080b410b54585856155156475c48433b0403515c550d56530106
Really need help to remove this pest. Had a look on google and downloaded a spyware doctor tool that was on a forum to remove but it's not free.
Please, any help would be greatly appreciated. I'm not particularly techie but can find my way around without too much bother to remove files etc.
PS - I also have Norton and a full system scan isn't even detecting this problem. I'm on XP Home, windows SP2
I have no idea how but I have some spyware or malware on my pc. My wallpaper has changed to red and says "your privacy is in danger" with a sort of 4 circle symbol (looks like a danger for nuclear waste)
3 shortcuts have appeared on the desktop called Error cleaner, privacy detector and spyware & Malware protection.
I'm constantly getting pop ups saying stuff like pc is at risk, click yes to fix. Not clicked yes or downloaded anything from these prompts.
My home page has been taken over and it now takes me here although I'm not sure if you should click on it!
http://securepccleaner.com/privacy/index.php?045a420d46164a52096a5302073d4d0e3a535e6d04524a0245080b410b54585856155156475c48433b0403515c550d56530106
Really need help to remove this pest. Had a look on google and downloaded a spyware doctor tool that was on a forum to remove but it's not free.
Please, any help would be greatly appreciated. I'm not particularly techie but can find my way around without too much bother to remove files etc.
PS - I also have Norton and a full system scan isn't even detecting this problem. I'm on XP Home, windows SP2
Love MSE, Las Vegas and chocolate!
0
Comments
-
Download ComboFix from either of these links:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click Combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.
Can you also post a HijackThis log generated after ComboFix has been run please.
Download HJTInstall.exe to your desktop.- Double-click HJTInstall.exe icon on your desktop to start the installation.
- By default it will install to C:\Program Files\Trend Micro\Hijack This.
- Click the Install button and HijackThis will launch automatically.
- Click the Scan button to generate a HijackThis log and then click Save Log to open it as a text file.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back to this thread and Paste the log (Ctrl+V) in your next reply.
0 -
Here's the whole log; looks a bit scary - lol
ComboFix 07-08-09.3 - "Home" 2007-08-12 21:48:23.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.553 [GMT 1:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Home\Desktop.\internet explorer.lnk
C:\DOCUME~1\Home\Desktop.\Spyware&Malware Protection.url
C:\DOCUME~1\Home\Desktop\Error Cleaner.url
C:\DOCUME~1\Home\Desktop\Privacy Protector.url
C:\DOCUME~1\Home\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\Home\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\Home\FAVORI~1.\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))
2007-08-12 21:47 51,200 --a
C:\WINDOWS\nircmd.exe
2007-08-12 21:27 <DIR> d
C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-08-12 21:17 626,688 --a
C:\WINDOWS\system32\msvcr80.dll
2007-08-12 21:17 <DIR> d
C:\Program Files\Spyware Doctor
2007-08-12 11:29 221,184 --a
C:\WINDOWS\wmpconf.dll
2007-08-12 11:29 200,704 --a
C:\WINDOWS\wmpenv.dll
2007-08-12 11:29 188,416 --a
C:\WINDOWS\duocore.dll
2007-07-31 07:56 22,112 -ra
C:\WINDOWS\system32\drivers\COH_Mon.sys
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-12 21:22 12 --a
C:\WINDOWS\bthservsdp.dat
2007-05-16 16:12 86528
C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504
C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a
C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 683520
C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976
C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816
C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-11 20:02 19784 --a
C:\DOCUME~1\Home\APPLIC~1\GDIPFONTCACHEV1.DAT
2004-06-18 10:05 45056 --a
C:\WINDOWS\inf\Slntinst.exe
2003-08-22 10:09 45056 --a
C:\WINDOWS\inf\slntinst_staticW2k.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\!!47C54F02-1B28-45F1-AE46-B5CDFB6E7926}]
2007-08-11 16:00 188416 --a
C:\WINDOWS\duocore.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 08:34 C:\WINDOWS\SOUNDMAN.EXE]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-10 13:25]
"SupaDial"="C:\Program Files\SupaDial\SupaDial.exe" []
"VTTimer"="VTTimer.exe" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-03-03 10:29]
"nwiz"="nwiz.exe" [2004-03-03 10:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-03-03 10:29]
"CARPService"="carpserv.exe" [2003-06-11 11:54 C:\WINDOWS\system32\carpserv.exe]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2004-05-11 23:20]
"Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2004-02-24 12:17]
"Norton"="C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe" [2004-02-24 21:53]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-06 10:24]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 21:21 C:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 09:48 C:\WINDOWS\system32\BTSetBootKey.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 C:\WINDOWS\system32\bthprops.cpl]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"Motive SmartBridge"="C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 18:52]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2005-12-29 10:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-12 22:06]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= [URL]file:///C:\WINDOWS\privacy_danger\index.htm[/URL]
FriendlyName= Privacy Protection
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wmpenv"= !!32B35593-9048-486D-9636-A34EAA1CA98C} - C:\WINDOWS\wmpenv.dll [2007-08-11 16:00 200704]
"wmpconf"= {ACE73026-6604-4370-AA63-791B1D6FA1CA} - C:\WINDOWS\wmpconf.dll [2007-08-11 16:00 221184]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
c:\windows\system32\sbijsnu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zojypku]
c:\windows\system32\sbijsnu.exe
R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
R3 ASNDIS5;ASNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ASNDIS5.SYS
R3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
R3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
R3 MRENDIS5;MRENDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 Tunx00;FunTV Video Capture;C:\WINDOWS\system32\DRIVERS\Tunx00.sys
R3 TxTuner;FunTV TV Tuner;C:\WINDOWS\system32\DRIVERS\TxTuner.sys
R3 USB_RNDIS;USB Remote NDIS Network Device Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys
R3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S3 BTHMODEM;Bluetooth Serial Communications Driver;C:\WINDOWS\system32\DRIVERS\bthmodem.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
S3 jfdcd;jfdcd;\??\C:\DOCUME~1\Home\LOCALS~1\Temp\jfdcd.sys
S3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 viagfx;viagfx;C:\WINDOWS\system32\DRIVERS\vtmini.sys
S3 W8100PCI;Marvell Libertas 802.11b/g Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\mrv8k51.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
*Newly Created Service* - COMHOST
Contents of the 'Scheduled Tasks' folder
2007-06-01 19:00:12 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Home.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 21:50:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-12 21:50:48
C:\ComboFix-quarantined-files.txt ... 2007-08-12 21:50
--- E O F ---Love MSE, Las Vegas and chocolate!0 -
And the HijackThis log?0
-
Sorry - I just re-read your reply - I thought it was a choice, not to do both - here's the other log (thanks again for your help)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:12:57, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\WINDOWS\system32\BtUsrBdg.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiny.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - !!1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: MSVPS System - !!47C54F02-1B28-45F1-AE46-B5CDFB6E7926} - C:\WINDOWS\duocore.dll
O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - !!90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FHM - !!76028735-BBF1-4044-8DE2-5B90F0C7A77C} -
\Program Files\FHM\GameClient.exe (file missing)
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} -\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} -\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O16 - DPF: !!5554A026-7282-4C11-A8F1-652D0599CD02} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/OpiStat_preinstaller_activex_en_4.60.63.0_MEGAPANEL_EUROPE_SILENT.cab
O16 - DPF: !!77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Installs/SURVEYS.COM%20PROMPTCAST%20SETUP.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/mpp_236/webolr/OCX/FlashAX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: wmpenv - !!32B35593-9048-486D-9636-A34EAA1CA98C} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {ACE73026-6604-4370-AA63-791B1D6FA1CA} - C:\WINDOWS\wmpconf.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O24 - Desktop Component 0: Privacy Protection - [URL]file:///C:\WINDOWS\privacy_danger\index.htm[/URL]
--
End of file - 10825 bytesLove MSE, Las Vegas and chocolate!0 -
These are new variants of Privacy Protector and a fix for this is due to be released by Subs in the next day or so.
O21 - SSODL: wmpenv - !!32B35593-9048-486D-9636-A34EAA1CA98C} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {ACE73026-6604-4370-AA63-791B1D6FA1CA} - C:\WINDOWS\wmpconf.dll0 -
Scan with HijackThis and place a checkmark in the boxes before the following entries:-
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
O2 - BHO: MSVPS System - !!47C54F02-1B28-45F1-AE46-B5CDFB6E7926} - C:\WINDOWS\duocore.dll
O16 - DPF: !!5554A026-7282-4C11-A8F1-652D0599CD02} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d...OPE_SILENT.cab
O16 - DPF: !!77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/In...ST%20SETUP.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/mp...CX/FlashAX.cab
O21 - SSODL: wmpenv - !!32B35593-9048-486D-9636-A34EAA1CA98C} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {ACE73026-6604-4370-AA63-791B1D6FA1CA} - C:\WINDOWS\wmpconf.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
Close all other windows except HijackThis and click the "Fix Checked" button.
Then open notepad (Start > Run and type notepad) and copy/paste the text in the code box below to it:File:: C:\WINDOWS\wmpconf.dll C:\WINDOWS\wmpenv.dll C:\WINDOWS\duocore.dll
Save this as "CFScript"
Refering to the picture above, drag CFScript into ComboFix.exe
Run ComboFix again and post the resultant log file please with a fresh HJT log again.
0 -
Reluctant_spender wrote: »These are new variants of Privacy Protector and a fix for this is due to be released by Subs in the next day or so.
O21 - SSODL: wmpenv - !!32B35593-9048-486D-9636-A34EAA1CA98C} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {ACE73026-6604-4370-AA63-791B1D6FA1CA} - C:\WINDOWS\wmpconf.dll
Thats great news, for the time being we'll just add them to ComboFix manually.0 -
Done, here's the combofix log, my pc restarted in the middle - I assume that was normal - running the HJT now - be back in a sec.....
ComboFix 07-08-09.3 - "Home" 2007-08-12 22:54:52.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.606 [GMT 1:00]
Command switches used :: C:\Documents and Settings\Home\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\wmpconf.dll
C:\WINDOWS\wmpenv.dll
C:\WINDOWS\duocore.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Home\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\Home\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\Home\FAVORI~1.\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\duocore.dll
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\wmpconf.dll
C:\WINDOWS\wmpenv.dll
((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))
2007-08-12 22:12 <DIR> d
C:\Program Files\Trend Micro
2007-08-12 21:47 51,200 --a
C:\WINDOWS\nircmd.exe
2007-08-12 21:27 <DIR> d
C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-08-12 21:17 626,688 --a
C:\WINDOWS\system32\msvcr80.dll
2007-07-31 07:56 22,112 -ra
C:\WINDOWS\system32\drivers\COH_Mon.sys
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-12 22:56 12 --a
C:\WINDOWS\bthservsdp.dat
2007-05-16 16:12 86528
C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504
C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a
C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 683520
C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976
C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816
C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-11 20:02 19784 --a
C:\DOCUME~1\Home\APPLIC~1\GDIPFONTCACHEV1.DAT
2004-06-18 10:05 45056 --a
C:\WINDOWS\inf\Slntinst.exe
2003-08-22 10:09 45056 --a
C:\WINDOWS\inf\slntinst_staticW2k.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 08:34 C:\WINDOWS\SOUNDMAN.EXE]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-10 13:25]
"SupaDial"="C:\Program Files\SupaDial\SupaDial.exe" []
"VTTimer"="VTTimer.exe" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-03-03 10:29]
"nwiz"="nwiz.exe" [2004-03-03 10:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-03-03 10:29]
"CARPService"="carpserv.exe" [2003-06-11 11:54 C:\WINDOWS\system32\carpserv.exe]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2004-05-11 23:20]
"Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2004-02-24 12:17]
"Norton"="C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe" [2004-02-24 21:53]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-06 10:24]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 21:21 C:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 09:48 C:\WINDOWS\system32\BTSetBootKey.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 C:\WINDOWS\system32\bthprops.cpl]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"Motive SmartBridge"="C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 18:52]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2005-12-29 10:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-12 22:06]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wmpenv"= {ED694E48-0780-4EE4-89AA-05E1F1EA2E76} - C:\WINDOWS\wmpenv.dll [ ]
"wmpconf"= !!236DF90B-CCFC-43AE-B92D-270620D98909} - C:\WINDOWS\wmpconf.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
c:\windows\system32\sbijsnu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zojypku]
c:\windows\system32\sbijsnu.exe
R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
R3 ASNDIS5;ASNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ASNDIS5.SYS
R3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
R3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
R3 MRENDIS5;MRENDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 Tunx00;FunTV Video Capture;C:\WINDOWS\system32\DRIVERS\Tunx00.sys
R3 TxTuner;FunTV TV Tuner;C:\WINDOWS\system32\DRIVERS\TxTuner.sys
R3 USB_RNDIS;USB Remote NDIS Network Device Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys
R3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S3 BTHMODEM;Bluetooth Serial Communications Driver;C:\WINDOWS\system32\DRIVERS\bthmodem.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
S3 jfdcd;jfdcd;\??\C:\DOCUME~1\Home\LOCALS~1\Temp\jfdcd.sys
S3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 viagfx;viagfx;C:\WINDOWS\system32\DRIVERS\vtmini.sys
S3 W8100PCI;Marvell Libertas 802.11b/g Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\mrv8k51.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
*Newly Created Service* - ASNDIS5
*Newly Created Service* - COMHOST
Contents of the 'Scheduled Tasks' folder
2007-06-01 19:00:12 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Home.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 22:58:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-12 22:59:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-12 22:59
C:\ComboFix2.txt ... 2007-08-12 21:50
--- E O F ---Love MSE, Las Vegas and chocolate!0 -
The hjt log; no pop ups so far - what's next?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:02:11, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\WINDOWS\system32\BtUsrBdg.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiny.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - !!1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - !!90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FHM - !!76028735-BBF1-4044-8DE2-5B90F0C7A77C} -\Program Files\FHM\GameClient.exe (file missing)
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} -\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} -\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: wmpenv - {ED694E48-0780-4EE4-89AA-05E1F1EA2E76} - C:\WINDOWS\wmpenv.dll (file missing)
O21 - SSODL: wmpconf - !!236DF90B-CCFC-43AE-B92D-270620D98909} - C:\WINDOWS\wmpconf.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
--
End of file - 9884 bytesLove MSE, Las Vegas and chocolate!0 -
It would appear you've unwittingly downloaded more nasties between posts.
Scan with HijackThis and place a checkmark in the boxes before the following entries:-
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O21 - SSODL: wmpenv - {ED694E48-0780-4EE4-89AA-05E1F1EA2E76} - C:\WINDOWS\wmpenv.dll (file missing)
O21 - SSODL: wmpconf - !!236DF90B-CCFC-43AE-B92D-270620D98909} - C:\WINDOWS\wmpconf.dll (file missing)
Close all other windows except HijackThis and click the "Fix Checked" button.
Restart and post a fresh HJT log for me please.
Can you also run a search for this file using Windows Explorer:
c:\windows\system32\sbijsnu.exe
Ensure you have re-configured Windows Explorer to Show Hidden Files & Folders before searching.
Let me know if you find it. You currently have a malicious entry disabled from running at startup in msconfig.
Is there any reason why you haven't updated IE to version 7? IE7 is much more secure than IE6. A visit to Windows Update site is in order.
I've got to hit the sack now but I'll check back tomorrow night when I get home from work.
AS0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.2K Banking & Borrowing
- 252.8K Reduce Debt & Boost Income
- 453.2K Spending & Discounts
- 243.2K Work, Benefits & Business
- 597.6K Mortgages, Homes & Bills
- 176.5K Life & Family
- 256.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards