Question

Excessive Popups and repeated attacks by virus, trojans and malware on a Dell Xp Desktop

Asked by: TomStarich

The problem is: Popups and repeated attacks by virus on a Dell Xp Desktop

I am wondering if there is something in the browser that is leading the poor folks who own this computer to sites where the malware and virus and trojans harbor. I noticed many popups and we caught WinFixer this afternoon and removed manually the last of 39 identified viruses and trojans manually.

Take a deep breath if you can understand hijack this log files and see if you can help.  If you would liike please look at the following hijack this log file and tell me what to check and clean within Hijack this to improve the situation.

So far we have had several days working on this computer for free for a farm family who contributes very much to childeren and is insturmental in our 4H group.  They deserve a little free computer support  because they work so hard for so many of the Kids in the Verona, WI Area. We were able to us both a combination of AVAST software and Norton Antivirus along with manual removal of one virus to get the machine to scan clean with Norton.

I believe were almost done cleaning this machine but noticed the Net Flix pop ups and a virus that was caught this afternoon called WinFixer

Thank you in advance for your support.

Kind Regards,
Thomas Starich

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:58 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1134010731\ee\AOLSoftware.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Cloudmark\SpamNet\OE\snoe.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\jkxikpjp.dll",forkonce
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [{FF-FA-A4-4C-ZN}] C:\windows\system32\mndsregm.exe SKY003
O4 - HKLM\..\Run: [yyednzqA] C:\WINDOWS\yyednzqA.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134010731\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\owinondt.exe SKY003
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Sarbacker\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Sarbacker\Application Data\Microsoft\Windows\nwcqlnh.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\MANTEC~1\spoolsv.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cloudmark Desktop for Outlook Express.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097012321843
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O20 - Winlogon Notify: nnnnnnl - nnnnnnl.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12306 bytes

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-07-27 at 16:20:01ID22725667
Topics

Desktop Anti-Virus

,

HijackThis Software

Participating Experts
2
Points
500
Comments
16

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Malware, Trojans etc...
    Hello, I have a laptop that belongs to one of my users and it is riddled with viruses, malware etc... etc... I have run Spybot, Norton, Trend Micro home scan, adaware, spy doctor and avg spyware and they have all successfully removed stuff however, the laptop is still in a ...
  2. Hijackthis Log
    Ok I scanned my computer with hijack this here is the log: I get popups like crazy on this computer!!!! What needs deleted? Logfile of HijackThis v1.99.1 Scan saved at 3:08:23 AM, on 8/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6....
  3. malware
    When opeining IE browser, i keep getting little boxes in different parts of the web page say "page cannot be displayed. i noticed that the little boxes are linked to http://eee.jopenqc.com. I can't get rid of the boxes...please help...i ran spyware and malware detector ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: devil_himselfPosted on 2007-07-27 at 19:41:58ID: 19583437

Open hijack this again Do a system scan and fix the following things

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-20 9B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C :\WINDOWS\system32\jkxikpjp.dll",forkonce
O4 - HKLM\..\Run: [{FF-FA-A4-4C-ZN}] C:\windows\s ystem32\mndsregm.exe SKY003
O4 - HKLM\..\Run: [yyednzqA] C:\WINDOWS\yyednzqA. exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\Sy stem32\owinondt.exe SKY003
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\G oogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Set tings\Sarbacker\Application Data\WinTouch\WinTouc h.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Setti ngs\Sarbacker\Application Data\Microsoft\Windows\ nwcqlnh.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\MA NTEC~1\spoolsv.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files \Google\GoogleToolbarNotifier\GoogleToolbarNotifi er.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files \Google\GoogleToolbarNotifier\GoogleToolbarNotifi er.exe (User 'Default us er')
O4 - Global Startup: Cloudmark Desktop for Outloo k Express.lnk = ?
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O20 - Winlogon Notify: nnnnnnl - nnnnnnl.dll (fil e missing)

 

by: devil_himselfPosted on 2007-07-27 at 19:42:58ID: 19583441

Download Combofix and save it to your desktop.
----------------------------------------------------

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Note: It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Post the ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

by: devil_himselfPosted on 2007-07-27 at 19:48:10ID: 19583451

Also go to add\remove programs and uninstall viewpoint manager

 

by: moorhouselondonPosted on 2007-07-28 at 09:51:29ID: 19585230

devil-himself has cleared out most of the crud, but it may return unless action is taken.  I would suggest, in addition, the following:-

I would uninstall any Dell "user experience" type software as I wonder whether this can be used as a conduit for malware (note that I'm not saying that Dell software is malware!)

There is some dispute as to whether Plaxo is spyware

If using Norton AV I would be inclined to recommend you ditch this in favour of AVG.  Too many times now have I encountered pc's running Norton that have been riddled with threats, which AVG, once installed, fixes in no time.

 

by: moorhouselondonPosted on 2007-07-28 at 09:54:37ID: 19585244

Forgot to add:  One of the advantages that AVG has, that Norton doesn't, is that it can be run in Safe Mode.

Get the client to use Firefox for browsing.

 

by: TomStarichPosted on 2007-07-28 at 12:01:28ID: 19585590

I  fixed the recommended including removal of Viewpoint. Had some question why we were removing the GoogleToolbarNotifier.exe but just trusted you and did that too. The cloudmark is a componant I loaded from PayPal to remove span and I trust that application it works well for me to remove Span. I pay $40 per year for it. ComboFix is very interesting. It changed the clock for a while and did a scan. I have no idea of what its doing but trust you again. Thank you for your assistance. I will let the computer run for a few more days and then  Have you heard of SmitFraudFix the folks at Symnatec who will rid your computer of virus for $99 a pop often use it along with a stand alone version of the Symantic antivirus and a check and fix of the sick computer using Hijack this.

I will get back to you later to award the points, any other recommendations would be welcome as well.

Thomas Starich RS
Food and Dairy Specialist
Madison, WI

 

by: devil_himselfPosted on 2007-07-28 at 18:12:14ID: 19586595

Please Post the Combofix.txt log .. You can still be infected

 

by: TomStarichPosted on 2007-07-29 at 14:27:12ID: 19589087

Dear Devil Hiimself,
This is the combofix log file you requested. I hope we got them all. :)

Thomas Starich

"Sarbacker" - 2007-07-29 16:09:02 - ComboFix 07-07-23.6 - Service Pack 2  NTFS  


(((((((((((((((((((((((((   Files Created from 2007-06-28 to 2007-07-29  )))))))))))))))))))))))))))))))


2007-07-28 13:52      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-07-27 16:59      <DIR>      d--------      C:\Program Files\iTunes
2007-07-27 16:57      <DIR>      d--------      C:\Program Files\QuickTime
2007-07-27 16:54      <DIR>      d--------      C:\Program Files\Common Files\Apple
2007-07-27 16:54      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-26 22:32      <DIR>      d--------      C:\Program Files\Norton Internet Security
2007-07-26 22:31      48,776      --a------      C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-07-26 22:31      115,000      --a------      C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-07-26 20:25      1,060,864      --a------      C:\WINDOWS\SYSTEM32\MFC71.dll
2007-07-26 20:25      <DIR>      d--------      C:\Program Files\Alwil Software
2007-07-25 23:14      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cloudmark
2007-07-25 23:13      <DIR>      d--------      C:\Program Files\Common Files\Cloudmark
2007-07-25 23:13      <DIR>      d--------      C:\Program Files\Cloudmark
2007-07-25 23:13      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-07-25 23:12      <DIR>      d--------      C:\Program Files\Common Files\Zero G Software
2007-07-25 22:48      <DIR>      d--------      C:\Tom Starich's Anti Virus Tools
2007-07-25 22:30      <DIR>      d--------      C:\Program Files\Trend Micro
2007-07-25 22:22      <DIR>      d--------      C:\VundoFix Backups
2007-07-25 22:01      53,248      --a------      C:\WINDOWS\SYSTEM32\Process.exe
2007-07-25 22:01      51,200      --a------      C:\WINDOWS\SYSTEM32\dumphive.exe
2007-07-25 22:01      288,417      --a------      C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-07-24 22:01      1,735,156      --ahs----      C:\WINDOWS\SYSTEM32\egjlm.ini2
2007-07-24 19:26      125,972      --a------      C:\WINDOWS\SYSTEM32\jkxikpjp.dll
2007-07-24 16:18      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\SupportSoft
2007-07-24 13:41      271,224      --a------      C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-24 13:41      208,248      --a------      C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-23 21:24      <DIR>      d--------      C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-23 20:42      1,184      --a------      C:\WINDOWS\SYSTEM32\tmp.reg
2007-07-23 19:59      <DIR>      d--------      C:\WINDOWS\network diagnostic
2007-07-22 23:36      <DIR>      d----c---      C:\WINDOWS\SYSTEM32\DRVSTORE
2007-07-22 23:34      <DIR>      d--------      C:\Program Files\MSXML 4.0
2007-07-22 23:17      <DIR>      d--------      C:\WINDOWS\Prefetch
2007-07-22 22:22      <DIR>      d--------      C:\WINDOWS\provisioning
2007-07-22 22:22      <DIR>      d--------      C:\WINDOWS\peernet
2007-07-22 22:19      <DIR>      d--------      C:\WINDOWS\ServicePackFiles
2007-07-22 22:11      <DIR>      d--------      C:\WINDOWS\EHome
2007-07-12 19:11      24,064      --a------      C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-07-11 12:47      <DIR>      d--------      C:\Temp\brr
2007-07-03 20:10      <DIR>      d--------      C:\DOCUME~1\SARBAC~1\APPLIC~1\Error Safe Free
2007-07-03 20:06      1,734,544      --ahs----      C:\WINDOWS\SYSTEM32\egjlm.bak1


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 19:02:40      --------      d-----w      C:\Program Files\Common Files\Symantec Shared
2007-07-28 19:07:17      --------      d-----w      C:\Program Files\Plaxo
2007-07-28 18:40:03      --------      d-----w      C:\Program Files\Viewpoint
2007-07-27 22:00:14      --------      d-----w      C:\Program Files\iPod
2007-07-27 21:52:21      --------      d-----w      C:\Program Files\Apple Software Update
2007-07-27 03:45:37      --------      d-----w      C:\Program Files\Symantec
2007-07-27 03:45:34      806      ----a-w      C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-27 03:45:34      8,014      ----a-w      C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-07-25 04:49:37      --------      d-----w      C:\Program Files\Common Files\wmku
2007-07-25 02:59:37      1,735,117      --sha-w      C:\WINDOWS\system32\egjlm.bak2
2007-07-24 03:45:03      --------      d-----w      C:\Program Files\Messenger
2007-07-23 03:22:05      --------      d-----w      C:\Program Files\Movie Maker
2007-07-23 03:19:29      --------      d-----w      C:\Program Files\Windows NT
2007-07-23 02:55:20      --------      d-----w      C:\DOCUME~1\SARBAC~1\APPLIC~1\Lavasoft
2007-06-27 13:33:46      --------      d-----w      C:\Program Files\Google
2007-05-16 15:12:02      683,520      ----a-w      C:\WINDOWS\system32\inetcomm.dll
2005-12-10 01:28:58      764,556      ----a-w      C:\Program Files\2006_YP_Leader_Broch.pdf
2005-11-08 00:26:42      1,957,429      ----a-w      C:\Program Files\sitebldr.exe
2005-11-08 00:17:44      279,603      ----a-w      C:\Program Files\hbe22.zip
2006-10-17 00:22:22      848      --sha-w      C:\WINDOWS\SYSTEM32\KGyGaAvL.sys


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-10-05 15:28]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" []
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2004-10-08 09:49]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-03-31 23:34]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HostManager"="C:\Program Files\Common Files\AOL\1134010731\ee\AOLSoftware.exe" [2006-05-09 19:24]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 08:23]

C:\Documents and Settings\Sarbacker\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06]
Cloudmark Desktop for Outlook Express.lnk - C:\WINDOWS\Installer\{EBAD3676-B4BD-45EA-8DB4-7497D13AAD4A}\SC_1.ico [2007-07-25 23:13:30]
DESKTOP.INI [2002-09-03 09:00:00]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-06-27 08:23:53]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sarbacker^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Sarbacker\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.7.4\webbuying.exe

R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R1 AFS2K;AFS2k;C:\WINDOWS\system32\drivers\AFS2K.sys
R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.SYS
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 SQTECH905C;ViviCam 35;C:\WINDOWS\system32\Drivers\Capt905c.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
Stop Pending2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-07-27 20:53:01  C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-29 17:43:01  C:\WINDOWS\tasks\HP Usg Daily.job
2007-07-29 11:33:15  C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Sarbacker.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 16:12:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-29 16:13:27
C:\ComboFix-quarantined-files.txt ... 2007-07-29 16:13
C:\ComboFix2.txt ... 2007-07-28 14:03

      --- E O F ---

 

by: devil_himselfPosted on 2007-07-29 at 18:12:41ID: 19589575

Copy Everything Below this line **********************************
Paste it in a notepad.save as fix.bat
Double click to run

*********************************************************************
title fix.bat
cls
@echo off
echo Press any key to start fix.bat ...
pause
echo Start Date: & date /t
echo Start Time: & time /t
echo fix.bat running ...
regsvr32 /u jkxikpjp.dll
attrib -s -h -r -a C:\WINDOWS\SYSTEM32\jkxikpjp.dll
attrib -s -h -r -a C:\WINDOWS\SYSTEM32\tmp.reg
attrib -s -h -r -a C:\WINDOWS\SYSTEM32\egjlm.ini2
attrib -s -h -r -a C:\WINDOWS\SYSTEM32\egjlm.bak1
attrib -s -h -r -a C:\WINDOWS\system32\egjlm.bak2
del C:\WINDOWS\SYSTEM32\jkxikpjp.dll /f /q
del C:\WINDOWS\SYSTEM32\tmp.reg /f /q
del C:\WINDOWS\SYSTEM32\egjlm.bak1 /f /q
del C:\WINDOWS\SYSTEM32\egjlm.ini2 /f /q
del C:\WINDOWS\system32\egjlm.bak2 /f /q
echo Report any errors encountered while running fix.bat.
echo .....
echo fix.bat is finished!
echo Press any key to close this window ...
pause
exit

************************************************************

Go to add remove programs and uninstall  ---  webbuying

Check and Delete these two folders

C:\Temp\brr
C:\Program Files\Viewpoint

**************************************************************************************

Your log have some signs of vundo ... Please do a vundu scan

Please download VundoFix.exe to your desktop.
-----------------------------------------------------

http://www.atribune.org/public-beta/VundoFix.exe

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

******************************************************

Download HJTInstall.exe to your Desktop.

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

    * Doubleclick HJTInstall.exe to install it.
    * By default it will install to C:\Program Files\Trend Micro\HijackThis .
    * Click on Install.
    * It will create a HijackThis icon on the desktop.
    * Once installed, it will launch Hijackthis.
    * Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    * Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

*****************************************

Post the following
1.Vundo log
2.A fresh hijackthis log





 

by: TomStarichPosted on 2007-07-30 at 13:19:50ID: 19595426

Web buying not listed in ADD Remove Programs
bb was removed
view point was removed from program folders

 

by: TomStarichPosted on 2007-07-30 at 13:29:40ID: 19595484

I did not get a log file after Vundo Fix completed. Don't know why maype there were no issues?

 

by: TomStarichPosted on 2007-07-30 at 13:30:46ID: 19595494

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:07 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1134010731\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Cloudmark\SpamNet\OE\snoe.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134010731\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cloudmark Desktop for Outlook Express.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097012321843
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10584 bytes

 

by: TomStarichPosted on 2007-07-30 at 13:37:00ID: 19595534

I did finally get the VirtumundoBeGone to run properly and got the fiollowing log file.

[07/30/2007, 15:33:15] - VirtumundoBeGone v1.5 ( "C:\Tom Starich's Anti Virus Tools\VirtumundoBeGone.exe" )
[07/30/2007, 15:33:23] - Detected System Information:
[07/30/2007, 15:33:23] -  Windows Version: 5.1.2600, Service Pack 2
[07/30/2007, 15:33:23] -  Current Username: Sarbacker (Admin)
[07/30/2007, 15:33:23] -  Windows is in NORMAL mode.
[07/30/2007, 15:33:23] - Searching for Browser Helper Objects:
[07/30/2007, 15:33:23] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/30/2007, 15:33:23] -  BHO 2: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[07/30/2007, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:33:23] -  Checking for HKLM\...\Winlogon\Notify\NppBho
[07/30/2007, 15:33:23] -  Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[07/30/2007, 15:33:23] -  BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[07/30/2007, 15:33:23] -  BHO 4: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
[07/30/2007, 15:33:23] -  BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/30/2007, 15:33:23] -  BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[07/30/2007, 15:33:23] - Finished Searching Browser Helper Objects
[07/30/2007, 15:33:23] - Finishing up...
[07/30/2007, 15:33:23] - Nothing found! Exiting...

[07/30/2007, 15:33:49] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Sarbacker\Desktop\VirtumundoBeGone.exe" )
[07/30/2007, 15:34:15] - Detected System Information:
[07/30/2007, 15:34:15] -  Windows Version: 5.1.2600, Service Pack 2
[07/30/2007, 15:34:15] -  Current Username: Sarbacker (Admin)
[07/30/2007, 15:34:15] -  Windows is in NORMAL mode.
[07/30/2007, 15:34:15] - Searching for Browser Helper Objects:
[07/30/2007, 15:34:15] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/30/2007, 15:34:15] -  BHO 2: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[07/30/2007, 15:34:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:34:15] -  Checking for HKLM\...\Winlogon\Notify\NppBho
[07/30/2007, 15:34:15] -  Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[07/30/2007, 15:34:15] -  BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[07/30/2007, 15:34:15] -  BHO 4: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
[07/30/2007, 15:34:15] -  BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/30/2007, 15:34:15] -  BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[07/30/2007, 15:34:15] - Finished Searching Browser Helper Objects
[07/30/2007, 15:34:15] - Finishing up...
[07/30/2007, 15:34:15] - Nothing found! Exiting...

 

by: devil_himselfPosted on 2007-07-30 at 18:15:37ID: 19597133

YOur Hijackthis log is clean

How is your computer Runinning ??
Any more Popups???
 

 

by: TomStarichPosted on 2007-07-30 at 19:19:40ID: 19597355

One would have to follow the whole thread to get any benefit from our work here so I will accept the solution at the bottom. Thank you very much devil_himself for your hard work on ridding the 4H leaders computer of a bad infection. She was quite grateful for all of our work. I noticed only one pop-up today from Netflix and hope that was just a stray. I would still like to get with the family and find out if they are using any of the "Dell User Experience Programs" and if not remove the ones that are not being used.

 

by: TomStarichPosted on 2007-07-31 at 05:36:03ID: 19599720

Dear Devil_himself I have posted a set of Hijack this and Combo fix logs for my own computer because I was suprised at how many things we found on the 4H leaders computer if you would like to support me in the question please look to the following link.  Its good for another 500 points. Thanks again for your help.

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_22730741.html

Thomas Starich RS
Food and Dairy Specialist

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...