Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 815
  • Last Modified:

Excessive Popups and repeated attacks by virus, trojans and malware on a Dell Xp Desktop

The problem is: Popups and repeated attacks by virus on a Dell Xp Desktop

I am wondering if there is something in the browser that is leading the poor folks who own this computer to sites where the malware and virus and trojans harbor. I noticed many popups and we caught WinFixer this afternoon and removed manually the last of 39 identified viruses and trojans manually.

Take a deep breath if you can understand hijack this log files and see if you can help.  If you would liike please look at the following hijack this log file and tell me what to check and clean within Hijack this to improve the situation.

So far we have had several days working on this computer for free for a farm family who contributes very much to childeren and is insturmental in our 4H group.  They deserve a little free computer support  because they work so hard for so many of the Kids in the Verona, WI Area. We were able to us both a combination of AVAST software and Norton Antivirus along with manual removal of one virus to get the machine to scan clean with Norton.

I believe were almost done cleaning this machine but noticed the Net Flix pop ups and a virus that was caught this afternoon called WinFixer

Thank you in advance for your support.

Kind Regards,
Thomas Starich

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:58 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1134010731\ee\AOLSoftware.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Cloudmark\SpamNet\OE\snoe.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\jkxikpjp.dll",forkonce
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [{FF-FA-A4-4C-ZN}] C:\windows\system32\mndsregm.exe SKY003
O4 - HKLM\..\Run: [yyednzqA] C:\WINDOWS\yyednzqA.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134010731\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\owinondt.exe SKY003
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Sarbacker\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Sarbacker\Application Data\Microsoft\Windows\nwcqlnh.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\MANTEC~1\spoolsv.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cloudmark Desktop for Outlook Express.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097012321843
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O20 - Winlogon Notify: nnnnnnl - nnnnnnl.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12306 bytes
0
TomStarich
Asked:
TomStarich
  • 8
  • 6
  • 2
1 Solution
 
devil_himselfCommented:
Open hijack this again Do a system scan and fix the following things

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-20 9B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C :\WINDOWS\system32\jkxikpjp.dll",forkonce
O4 - HKLM\..\Run: [{FF-FA-A4-4C-ZN}] C:\windows\s ystem32\mndsregm.exe SKY003
O4 - HKLM\..\Run: [yyednzqA] C:\WINDOWS\yyednzqA. exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\Sy stem32\owinondt.exe SKY003
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\G oogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Set tings\Sarbacker\Application Data\WinTouch\WinTouc h.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Setti ngs\Sarbacker\Application Data\Microsoft\Windows\ nwcqlnh.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\MA NTEC~1\spoolsv.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files \Google\GoogleToolbarNotifier\GoogleToolbarNotifi er.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files \Google\GoogleToolbarNotifier\GoogleToolbarNotifi er.exe (User 'Default us er')
O4 - Global Startup: Cloudmark Desktop for Outloo k Express.lnk = ?
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O20 - Winlogon Notify: nnnnnnl - nnnnnnl.dll (fil e missing)
0
 
devil_himselfCommented:
Download Combofix and save it to your desktop.
----------------------------------------------------

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Note: It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Post the ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
0
 
devil_himselfCommented:
Also go to add\remove programs and uninstall viewpoint manager
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
moorhouselondonCommented:
devil-himself has cleared out most of the crud, but it may return unless action is taken.  I would suggest, in addition, the following:-

I would uninstall any Dell "user experience" type software as I wonder whether this can be used as a conduit for malware (note that I'm not saying that Dell software is malware!)

There is some dispute as to whether Plaxo is spyware

If using Norton AV I would be inclined to recommend you ditch this in favour of AVG.  Too many times now have I encountered pc's running Norton that have been riddled with threats, which AVG, once installed, fixes in no time.
0
 
moorhouselondonCommented:
Forgot to add:  One of the advantages that AVG has, that Norton doesn't, is that it can be run in Safe Mode.

Get the client to use Firefox for browsing.
0
 
TomStarichAuthor Commented:
I  fixed the recommended including removal of Viewpoint. Had some question why we were removing the GoogleToolbarNotifier.exe but just trusted you and did that too. The cloudmark is a componant I loaded from PayPal to remove span and I trust that application it works well for me to remove Span. I pay $40 per year for it. ComboFix is very interesting. It changed the clock for a while and did a scan. I have no idea of what its doing but trust you again. Thank you for your assistance. I will let the computer run for a few more days and then  Have you heard of SmitFraudFix the folks at Symnatec who will rid your computer of virus for $99 a pop often use it along with a stand alone version of the Symantic antivirus and a check and fix of the sick computer using Hijack this.

I will get back to you later to award the points, any other recommendations would be welcome as well.

Thomas Starich RS
Food and Dairy Specialist
Madison, WI
0
 
devil_himselfCommented:
Please Post the Combofix.txt log .. You can still be infected
0
 
TomStarichAuthor Commented:
Dear Devil Hiimself,
This is the combofix log file you requested. I hope we got them all. :)

Thomas Starich

"Sarbacker" - 2007-07-29 16:09:02 - ComboFix 07-07-23.6 - Service Pack 2  NTFS  


(((((((((((((((((((((((((   Files Created from 2007-06-28 to 2007-07-29  )))))))))))))))))))))))))))))))


2007-07-28 13:52      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-07-27 16:59      <DIR>      d--------      C:\Program Files\iTunes
2007-07-27 16:57      <DIR>      d--------      C:\Program Files\QuickTime
2007-07-27 16:54      <DIR>      d--------      C:\Program Files\Common Files\Apple
2007-07-27 16:54      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-26 22:32      <DIR>      d--------      C:\Program Files\Norton Internet Security
2007-07-26 22:31      48,776      --a------      C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-07-26 22:31      115,000      --a------      C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-07-26 20:25      1,060,864      --a------      C:\WINDOWS\SYSTEM32\MFC71.dll
2007-07-26 20:25      <DIR>      d--------      C:\Program Files\Alwil Software
2007-07-25 23:14      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cloudmark
2007-07-25 23:13      <DIR>      d--------      C:\Program Files\Common Files\Cloudmark
2007-07-25 23:13      <DIR>      d--------      C:\Program Files\Cloudmark
2007-07-25 23:13      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-07-25 23:12      <DIR>      d--------      C:\Program Files\Common Files\Zero G Software
2007-07-25 22:48      <DIR>      d--------      C:\Tom Starich's Anti Virus Tools
2007-07-25 22:30      <DIR>      d--------      C:\Program Files\Trend Micro
2007-07-25 22:22      <DIR>      d--------      C:\VundoFix Backups
2007-07-25 22:01      53,248      --a------      C:\WINDOWS\SYSTEM32\Process.exe
2007-07-25 22:01      51,200      --a------      C:\WINDOWS\SYSTEM32\dumphive.exe
2007-07-25 22:01      288,417      --a------      C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-07-24 22:01      1,735,156      --ahs----      C:\WINDOWS\SYSTEM32\egjlm.ini2
2007-07-24 19:26      125,972      --a------      C:\WINDOWS\SYSTEM32\jkxikpjp.dll
2007-07-24 16:18      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\SupportSoft
2007-07-24 13:41      271,224      --a------      C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-24 13:41      208,248      --a------      C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-23 21:24      <DIR>      d--------      C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-23 20:42      1,184      --a------      C:\WINDOWS\SYSTEM32\tmp.reg
2007-07-23 19:59      <DIR>      d--------      C:\WINDOWS\network diagnostic
2007-07-22 23:36      <DIR>      d----c---      C:\WINDOWS\SYSTEM32\DRVSTORE
2007-07-22 23:34      <DIR>      d--------      C:\Program Files\MSXML 4.0
2007-07-22 23:17      <DIR>      d--------      C:\WINDOWS\Prefetch
2007-07-22 22:22      <DIR>      d--------      C:\WINDOWS\provisioning
2007-07-22 22:22      <DIR>      d--------      C:\WINDOWS\peernet
2007-07-22 22:19      <DIR>      d--------      C:\WINDOWS\ServicePackFiles
2007-07-22 22:11      <DIR>      d--------      C:\WINDOWS\EHome
2007-07-12 19:11      24,064      --a------      C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-07-11 12:47      <DIR>      d--------      C:\Temp\brr
2007-07-03 20:10      <DIR>      d--------      C:\DOCUME~1\SARBAC~1\APPLIC~1\Error Safe Free
2007-07-03 20:06      1,734,544      --ahs----      C:\WINDOWS\SYSTEM32\egjlm.bak1


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 19:02:40      --------      d-----w      C:\Program Files\Common Files\Symantec Shared
2007-07-28 19:07:17      --------      d-----w      C:\Program Files\Plaxo
2007-07-28 18:40:03      --------      d-----w      C:\Program Files\Viewpoint
2007-07-27 22:00:14      --------      d-----w      C:\Program Files\iPod
2007-07-27 21:52:21      --------      d-----w      C:\Program Files\Apple Software Update
2007-07-27 03:45:37      --------      d-----w      C:\Program Files\Symantec
2007-07-27 03:45:34      806      ----a-w      C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-27 03:45:34      8,014      ----a-w      C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-07-25 04:49:37      --------      d-----w      C:\Program Files\Common Files\wmku
2007-07-25 02:59:37      1,735,117      --sha-w      C:\WINDOWS\system32\egjlm.bak2
2007-07-24 03:45:03      --------      d-----w      C:\Program Files\Messenger
2007-07-23 03:22:05      --------      d-----w      C:\Program Files\Movie Maker
2007-07-23 03:19:29      --------      d-----w      C:\Program Files\Windows NT
2007-07-23 02:55:20      --------      d-----w      C:\DOCUME~1\SARBAC~1\APPLIC~1\Lavasoft
2007-06-27 13:33:46      --------      d-----w      C:\Program Files\Google
2007-05-16 15:12:02      683,520      ----a-w      C:\WINDOWS\system32\inetcomm.dll
2005-12-10 01:28:58      764,556      ----a-w      C:\Program Files\2006_YP_Leader_Broch.pdf
2005-11-08 00:26:42      1,957,429      ----a-w      C:\Program Files\sitebldr.exe
2005-11-08 00:17:44      279,603      ----a-w      C:\Program Files\hbe22.zip
2006-10-17 00:22:22      848      --sha-w      C:\WINDOWS\SYSTEM32\KGyGaAvL.sys


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-10-05 15:28]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" []
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2004-10-08 09:49]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-03-31 23:34]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HostManager"="C:\Program Files\Common Files\AOL\1134010731\ee\AOLSoftware.exe" [2006-05-09 19:24]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 08:23]

C:\Documents and Settings\Sarbacker\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06]
Cloudmark Desktop for Outlook Express.lnk - C:\WINDOWS\Installer\{EBAD3676-B4BD-45EA-8DB4-7497D13AAD4A}\SC_1.ico [2007-07-25 23:13:30]
DESKTOP.INI [2002-09-03 09:00:00]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-06-27 08:23:53]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sarbacker^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Sarbacker\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.7.4\webbuying.exe

R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R1 AFS2K;AFS2k;C:\WINDOWS\system32\drivers\AFS2K.sys
R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.SYS
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 SQTECH905C;ViviCam 35;C:\WINDOWS\system32\Drivers\Capt905c.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
Stop Pending2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-07-27 20:53:01  C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-29 17:43:01  C:\WINDOWS\tasks\HP Usg Daily.job
2007-07-29 11:33:15  C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Sarbacker.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 16:12:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-29 16:13:27
C:\ComboFix-quarantined-files.txt ... 2007-07-29 16:13
C:\ComboFix2.txt ... 2007-07-28 14:03

      --- E O F ---
0
 
devil_himselfCommented:
Copy Everything Below this line **********************************
Paste it in a notepad.save as fix.bat
Double click to run

*********************************************************************
title fix.bat
cls
@echo off
echo Press any key to start fix.bat ...
pause
echo Start Date: & date /t
echo Start Time: & time /t
echo fix.bat running ...
regsvr32 /u jkxikpjp.dll
attrib -s -h -r -a C:\WINDOWS\SYSTEM32\jkxikpjp.dll
attrib -s -h -r -a C:\WINDOWS\SYSTEM32\tmp.reg
attrib -s -h -r -a C:\WINDOWS\SYSTEM32\egjlm.ini2
attrib -s -h -r -a C:\WINDOWS\SYSTEM32\egjlm.bak1
attrib -s -h -r -a C:\WINDOWS\system32\egjlm.bak2
del C:\WINDOWS\SYSTEM32\jkxikpjp.dll /f /q
del C:\WINDOWS\SYSTEM32\tmp.reg /f /q
del C:\WINDOWS\SYSTEM32\egjlm.bak1 /f /q
del C:\WINDOWS\SYSTEM32\egjlm.ini2 /f /q
del C:\WINDOWS\system32\egjlm.bak2 /f /q
echo Report any errors encountered while running fix.bat.
echo .....
echo fix.bat is finished!
echo Press any key to close this window ...
pause
exit

************************************************************

Go to add remove programs and uninstall  ---  webbuying

Check and Delete these two folders

C:\Temp\brr
C:\Program Files\Viewpoint

**************************************************************************************

Your log have some signs of vundo ... Please do a vundu scan

Please download VundoFix.exe to your desktop.
-----------------------------------------------------

http://www.atribune.org/public-beta/VundoFix.exe

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

******************************************************

Download HJTInstall.exe to your Desktop.

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

    * Doubleclick HJTInstall.exe to install it.
    * By default it will install to C:\Program Files\Trend Micro\HijackThis .
    * Click on Install.
    * It will create a HijackThis icon on the desktop.
    * Once installed, it will launch Hijackthis.
    * Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    * Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

*****************************************

Post the following
1.Vundo log
2.A fresh hijackthis log





0
 
TomStarichAuthor Commented:
Web buying not listed in ADD Remove Programs
bb was removed
view point was removed from program folders
0
 
TomStarichAuthor Commented:
I did not get a log file after Vundo Fix completed. Don't know why maype there were no issues?
0
 
TomStarichAuthor Commented:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:07 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1134010731\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Cloudmark\SpamNet\OE\snoe.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134010731\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cloudmark Desktop for Outlook Express.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097012321843
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10584 bytes
0
 
TomStarichAuthor Commented:
I did finally get the VirtumundoBeGone to run properly and got the fiollowing log file.

[07/30/2007, 15:33:15] - VirtumundoBeGone v1.5 ( "C:\Tom Starich's Anti Virus Tools\VirtumundoBeGone.exe" )
[07/30/2007, 15:33:23] - Detected System Information:
[07/30/2007, 15:33:23] -  Windows Version: 5.1.2600, Service Pack 2
[07/30/2007, 15:33:23] -  Current Username: Sarbacker (Admin)
[07/30/2007, 15:33:23] -  Windows is in NORMAL mode.
[07/30/2007, 15:33:23] - Searching for Browser Helper Objects:
[07/30/2007, 15:33:23] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/30/2007, 15:33:23] -  BHO 2: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[07/30/2007, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:33:23] -  Checking for HKLM\...\Winlogon\Notify\NppBho
[07/30/2007, 15:33:23] -  Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[07/30/2007, 15:33:23] -  BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[07/30/2007, 15:33:23] -  BHO 4: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
[07/30/2007, 15:33:23] -  BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/30/2007, 15:33:23] -  BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[07/30/2007, 15:33:23] - Finished Searching Browser Helper Objects
[07/30/2007, 15:33:23] - Finishing up...
[07/30/2007, 15:33:23] - Nothing found! Exiting...

[07/30/2007, 15:33:49] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Sarbacker\Desktop\VirtumundoBeGone.exe" )
[07/30/2007, 15:34:15] - Detected System Information:
[07/30/2007, 15:34:15] -  Windows Version: 5.1.2600, Service Pack 2
[07/30/2007, 15:34:15] -  Current Username: Sarbacker (Admin)
[07/30/2007, 15:34:15] -  Windows is in NORMAL mode.
[07/30/2007, 15:34:15] - Searching for Browser Helper Objects:
[07/30/2007, 15:34:15] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/30/2007, 15:34:15] -  BHO 2: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[07/30/2007, 15:34:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:34:15] -  Checking for HKLM\...\Winlogon\Notify\NppBho
[07/30/2007, 15:34:15] -  Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[07/30/2007, 15:34:15] -  BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[07/30/2007, 15:34:15] -  BHO 4: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
[07/30/2007, 15:34:15] -  BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/30/2007, 15:34:15] -  BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[07/30/2007, 15:34:15] - Finished Searching Browser Helper Objects
[07/30/2007, 15:34:15] - Finishing up...
[07/30/2007, 15:34:15] - Nothing found! Exiting...
0
 
devil_himselfCommented:
YOur Hijackthis log is clean

How is your computer Runinning ??
Any more Popups???
 
0
 
TomStarichAuthor Commented:
One would have to follow the whole thread to get any benefit from our work here so I will accept the solution at the bottom. Thank you very much devil_himself for your hard work on ridding the 4H leaders computer of a bad infection. She was quite grateful for all of our work. I noticed only one pop-up today from Netflix and hope that was just a stray. I would still like to get with the family and find out if they are using any of the "Dell User Experience Programs" and if not remove the ones that are not being used.
0
 
TomStarichAuthor Commented:
Dear Devil_himself I have posted a set of Hijack this and Combo fix logs for my own computer because I was suprised at how many things we found on the 4H leaders computer if you would like to support me in the question please look to the following link.  Its good for another 500 points. Thanks again for your help.

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_22730741.html

Thomas Starich RS
Food and Dairy Specialist
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 8
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now