annoying window pop up!!

stevo86 · 17-06-2007 5:19pm #1

Would anyone know how to stop internet explorer windows from popping up every 3-4 minutes on my pc. This only happens when i have a internet explorer open. A page opens and i get the message "page cannot be found". Even as im typing this a few have popped up!!
Im using firefox as my explorer, any help would be appreciated, thanks

Saruman · 17-06-2007 5:25pm

You are infected with malware/spyware so that depends on whats running.

Firstly uninstall any crap through add/remove programs. anything to do with save and bargains and ads etc. Some of them are sort of legit so you can uninstall them.
If its a bad one though you will need special software to do it. Ewido might work as might spybot S&D.
If its some of the very hard to get ones though you will need profesional help as you will need tools like hijackthis etc that are not for someone who does not know what they are doing.

stevo86 · 17-06-2007 5:29pm

okay thanks for that

ActorSeeksJob · 17-06-2007 5:36pm

Please don't run any scans yet. Do this and we can fix up your PC

Please download the self-extracting version of HijackThis from here:

HijackThis_sfx download

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

Open HijackThis and click Do a system scan and save a log file. Copy the entire contents of that log and post it here

stevo86 · 17-06-2007 5:58pm

Ok heres wat i got.......

Logfile of HijackThis v1.99.1
Scan saved at 19:02:44, on 17/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\KService\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{70961D1E-09DF-1033-0815-050416200161}\Update.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Stephen\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30961~1\Bar888.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [{70961D1E-09DF-1033-0815-050416200161}] "C:\Program Files\Common Files\{70961D1E-09DF-1033-0815-050416200161}\Update.exe" te-110-12-0000245
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1781821B-A79C-430D-BEC5-CA738C6BAD45}: NameServer = 85.255.116.149,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{258F4BB7-C84B-4990-8E0B-84A63B21CCC0}: NameServer = 85.255.116.149,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{3844DD90-02B6-41A5-B74B-EFD88A07DFD5}: NameServer = 85.255.116.149,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EEFC672-D38D-42BE-B8A6-8CE66A8346C1}: NameServer = 85.255.116.149,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB6CC520-F798-4CC1-9F66-D912042DA8DF}: NameServer = 85.255.116.149,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCF1F1E6-EE62-4F20-BEC5-485E4C08D79D}: NameServer = 85.255.116.149,85.255.112.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.149 85.255.112.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{1781821B-A79C-430D-BEC5-CA738C6BAD45}: NameServer = 85.255.116.149,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.149 85.255.112.14
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000245 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

ActorSeeksJob · 17-06-2007 6:41pm

Please do all these steps as you have some bad infections on your PC. You may want to print out or save these instructions in notepad to your desktop.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

So in your next reply I need to see the following : the SDFix report, the FixWareOut report, the HijackThis Uninstall List, and a new HijackThis log. Also tell me if you had any problems.

stevo86 · 18-06-2007 7:18pm

ok heres the fixwareout report

Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINDOWS\Temp\kdjaq.ren 63403 04/08/2004

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"{70961D1E-09DF-1033-0815-050416200161}"="\"C:\\Program Files\\Common Files\\{70961D1E-09DF-1033-0815-050416200161}\\Update.exe\" te-110-12-0000245"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="C:\\WINDOWS\\kdx\\KHost.exe -all"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

stevo86 · 18-06-2007 7:19pm

heres the hijack this uninstall list..........

Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 7.0
Apple Software Update
AviSynth 2.5
Azureus
BearShare
Bebo - Skype 2.0
Belarc Advisor 7.2
CCHelp
CDBurnerXP Pro 3
CinepPlayer 30 Update
Corel Paint Shop Pro X
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen MicroPhoto
Dell CinePlayer
Dell Driver Reset Tool
Dell Media Experience
Dublin Uploadable Timetable
EphPod
foobar2000 v0.9.4.3
Google Earth
Google Earth Pro
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB926239)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
iPod for Windows 2005-01-11
iPod for Windows 2006-01-10
IpWins
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) SE Runtime Environment 6 Update 1
Macromedia Flash Player 8
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server Desktop Engine
Microsoft User-Mode Driver Framework Feature Pack 1.5
Mozilla Firefox (2.0.0.1)
Mozilla Firefox (2.0.0.4)
MSN
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
Netopia 3300 Series USB Network Adapter
NoAdware 2.01
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Nokia Software Updater
PC Connectivity Solution
Photohands 1.0E
PSP Video 9 1.74
QuickTime
screensaver1
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Shockwave
Sky Anytime
Sonic Activation Module
Sony PSP Media Manager 1.0
Tennis Titans
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
VideoEgg Publisher
VideoLAN VLC media player 0.8.5
WinAce Archiver
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859

stevo86 · 18-06-2007 7:20pm

and the hijack this report.........

Logfile of HijackThis v1.99.1
Scan saved at 20:20:15, on 18/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\KService\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{70961D1E-09DF-1033-0815-050416200161}\Update.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Stephen\Desktop\Fix it!!!!!\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30961~1\Bar888.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [{70961D1E-09DF-1033-0815-050416200161}] "C:\Program Files\Common Files\{70961D1E-09DF-1033-0815-050416200161}\Update.exe" te-110-12-0000245
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

stevo86 · 18-06-2007 7:22pm

I ran the SDfix programme and it worked okay, but i deleted the report by mistake when i had to re boot the computer, so will i have to re-run the programme again safe mode to get another report for it????

ActorSeeksJob · 18-06-2007 10:02pm

Don't worry about running SDFix again since it won't be able to give us the proper log since it removed the stuff already.

Please go to Start > Control Panel > Add or Remove Programs > Remove the following :

IpWins
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
NoAdware 2.01 << this is considered a rogue anti-spyware product and is not good at all

You are also using an old version of VLC, you can update it here

Do you know this program "screensaver1"? Can you tell me more about it please.

Go to this site:
http://www.virustotal.com/en/indexx.html
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\Program Files\Common Files\{70961D1E-09DF-1033-0815-050416200161}\Update.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

Next run HijackThis, click "Do a system scan only" and check this entry

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30961~1\Bar888.dll

Close all windows except for HijackThis and click "Fix checked".

Next delete this folder in bold :

C:\Program Files\Common Files\{30961~1 << delete the folder that starts with these 5 digits

So in your next reply I need to see the following : tell me how the uninstallations went, the result of that file I asked you to scan, a new HijackThis log, and tell me if you had any problems.

stevo86 · 19-06-2007 11:11am

All the uninstallations went ok, they were occupying a huge amount of space on the HDD!

Heres the results of that file u asked me to scan.........

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.19.2007 Win-Trojan/Matcash.14336
AntiVir 7.4.0.34 06.19.2007 ADSPY/Softomate.AC.6
Authentium 4.93.8 06.18.2007 no virus found
Avast 4.7.997.0 06.18.2007 Win32:Adware-gen.
AVG 7.5.0.467 06.18.2007 Adware Generic.SPN
BitDefender 7.2 06.19.2007 Trojan.Downloader.Agent.ATO
CAT-QuickHeal 9.00 06.18.2007 AdWare.Softomate.ac (Not a Virus)
ClamAV devel-20070416 06.19.2007 no virus found
DrWeb 4.33 06.19.2007 Trojan.DownLoader.17040
eSafe 7.0.15.0 06.19.2007 Win32.Adclicker
eTrust-Vet 30.7.3727 06.19.2007 Win32/Matcash.D
Ewido 4.0 06.19.2007 Adware.Softomate
FileAdvisor 1 06.19.2007 no virus found
Fortinet 2.91.0.0 06.19.2007 Adware/Dloader
F-Prot 4.3.2.48 06.18.2007 W32/Adware.BAF
F-Secure 6.70.13030.0 06.19.2007 no virus found
Ikarus T3.1.1.8 06.19.2007 not-a-virus:AdWare.Win32.Softomate.ac
Kaspersky 4.0.2.24 06.19.2007 not-a-virus:AdWare.Win32.Softomate.ac
McAfee 5055 06.18.2007 Generic Downloader.k
Microsoft 1.2607 06.19.2007 BrowserModifier:Win32/Matcash
NOD32v2 2338 06.19.2007 no virus found
Norman 5.80.02 06.18.2007 W32/Softomate.IH
Panda 9.0.0.4 06.19.2007 Generic Trojan
Prevx1 V2 06.19.2007 Generic.Malware
Sophos 4.18.0 06.12.2007 CommAd
Sunbelt 2.2.907.0 06.16.2007 Trojan-Downloader.Agent.ATO
Symantec 10 06.19.2007 Trojan.Adclicker
TheHacker 6.1.6.134 06.18.2007 Adware/Softomate.ac
VBA32 3.12.0.2 06.19.2007 AdWare.Win32.Softomate.ac
VirusBuster 4.3.23:9 06.18.2007 no virus found
Webwasher-Gateway 6.0.1 06.19.2007 Ad-Spyware.Softomate.AC.6

Aditional Information
File size: 14336 bytes
MD5: 0a40d3c857e1121c1e00075a1ab1ddff
SHA1: 3a8e6403d8c30ee60eff99e74fbb9858016eae6a
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=EE5A4FF30097F4DB38CD00D1D7350B002DF5315A

and heres the log of the hijack this scan.......

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.19.2007 Win-Trojan/Matcash.14336
AntiVir 7.4.0.34 06.19.2007 ADSPY/Softomate.AC.6
Authentium 4.93.8 06.18.2007 no virus found
Avast 4.7.997.0 06.18.2007 Win32:Adware-gen.
AVG 7.5.0.467 06.18.2007 Adware Generic.SPN
BitDefender 7.2 06.19.2007 Trojan.Downloader.Agent.ATO
CAT-QuickHeal 9.00 06.18.2007 AdWare.Softomate.ac (Not a Virus)
ClamAV devel-20070416 06.19.2007 no virus found
DrWeb 4.33 06.19.2007 Trojan.DownLoader.17040
eSafe 7.0.15.0 06.19.2007 Win32.Adclicker
eTrust-Vet 30.7.3727 06.19.2007 Win32/Matcash.D
Ewido 4.0 06.19.2007 Adware.Softomate
FileAdvisor 1 06.19.2007 no virus found
Fortinet 2.91.0.0 06.19.2007 Adware/Dloader
F-Prot 4.3.2.48 06.18.2007 W32/Adware.BAF
F-Secure 6.70.13030.0 06.19.2007 no virus found
Ikarus T3.1.1.8 06.19.2007 not-a-virus:AdWare.Win32.Softomate.ac
Kaspersky 4.0.2.24 06.19.2007 not-a-virus:AdWare.Win32.Softomate.ac
McAfee 5055 06.18.2007 Generic Downloader.k
Microsoft 1.2607 06.19.2007 BrowserModifier:Win32/Matcash
NOD32v2 2338 06.19.2007 no virus found
Norman 5.80.02 06.18.2007 W32/Softomate.IH
Panda 9.0.0.4 06.19.2007 Generic Trojan
Prevx1 V2 06.19.2007 Generic.Malware
Sophos 4.18.0 06.12.2007 CommAd
Sunbelt 2.2.907.0 06.16.2007 Trojan-Downloader.Agent.ATO
Symantec 10 06.19.2007 Trojan.Adclicker
TheHacker 6.1.6.134 06.18.2007 Adware/Softomate.ac
VBA32 3.12.0.2 06.19.2007 AdWare.Win32.Softomate.ac
VirusBuster 4.3.23:9 06.18.2007 no virus found
Webwasher-Gateway 6.0.1 06.19.2007 Ad-Spyware.Softomate.AC.6

Aditional Information
File size: 14336 bytes
MD5: 0a40d3c857e1121c1e00075a1ab1ddff
SHA1: 3a8e6403d8c30ee60eff99e74fbb9858016eae6a
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=EE5A4FF30097F4DB38CD00D1D7350B002DF5315A

r3nu4l · 19-06-2007 11:20am

OP, you have plenty of instances of Softomate products!

Have a look at this

I'm just bringing this to your attention, ActorSeeksJob is doing a fine job of running through things for you but this is a problem that he should help you with. The Trojan downloaders will have to be removed asap as these will cause problems for you.

ActorSeeksJob, how about getting the OP to use Stinger to check for what are currently the most commmon problems. I found that useful when cleaning up my machine

ActorSeeksJob · 19-06-2007 12:00pm

Delete these folders in bold

C:\Program Files\Common Files\{70961D1E-09DF-1033-0815-050416200161}
C:\Program Files\GameAbyss Toolbar

Do you know this program "screensaver1"? Can you tell me more about it please.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-clickATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser

ClickFirefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser

ClickOpera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Click here to use the F-Secure Online Scanner

Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here.
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

So in your next reply I need to see the following : tell me how the deletions went and answer my question about screensaver1, post the F-Secure Online Scanner report, and the ComboFix report. Then tell me if you had any trouble and how your PC is running.

ActorSeeksJob · 19-06-2007 12:04pm

r3nu4l thanks for your input, I'm always open to ideas. The infections the OP has left aren't too bad and should be fixed with my last post. Stinger isn't that good to be honest, there are far better tools out there to use, which I've got the user to run. They should clean up the infections he has, and any others, and tell me if there's anything else lurking on his PC.

r3nu4l · 19-06-2007 12:12pm

ActorSeeksJob wrote:

r3nu4l thanks for your input, I'm always open to ideas. The infections the OP has left aren't too bad and should be fixed with my last post. Stinger isn't that good to be honest, there are far better tools out there to use, which I've got the user to run. They should clean up the infections he has, and any others, and tell me if there's anything else lurking on his PC.

Don't get me wrong the steps you've taken are fully correct imo but for novice users I always find programs like Stinger are great to run because they get them used to the idea of installing and running programs and Stinger can be useful in removing the most common threats*. Once users become less afraid of installing and running I usually get them to run HJT and go from there.

*Although thanks to all the trojan downloaders on the OPs machine there would be many more of the less common but equally dangerous threats on his machine.

stevo86 · 19-06-2007 4:56pm

I tried to delete the 2 folders you instructed me to do so, but for the first one it would not allow me to delete it, i got a message sayin acces is denied. I tried to change the properties by de-selecting the read only option, but that did not work either. For the othere folder i could not locate it on my computer, i even tried to do a search for it, but that did not work either.
the "screensaver1" is simply a screen saver i downloaded from the national geographic website, i deleted it okay.
The other programmes you gave also worked okay.

Heres the F-secure online scanner results......

Tuesday, June 19, 2007 16:26:04 - 17:50:21

Computer name: KEVO_AND_STEO
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 10 malware found
P2P-Worm.Win32.Agent.v (virus)

* C:\DOCUMENTS AND SETTINGS\KEVIN\LOCAL SETTINGS\TEMP\ZGO.EXE (Renamed & Submitted)

PurityScan (spyware)

* System

Rootkit.Win32.Agent.eq (virus)

* C:\WINDOWS\SYSTEM32\DRIVERS\CORE.SYS (Submitted)

Softomate Toolbar (spyware)

* System (Disinfected)

Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System

WhenU.SaveNow (spyware)

* System (Disinfected)

Zango (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 50425
* System: 4541
* Not scanned: 4

Actions:

* Disinfected: 4
* Renamed: 1
* Deleted: 0
* None: 5
* Submitted: 2

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{56D055A2-D585-46D3-AA2A-128D74B335A3}.BIN

Options
Scanning engines:

* F-Secure AVP: 7.0.171, 2007-06-19
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0260-23-12
* F-Secure Libra: 2.4.2, 2007-06-19
* F-Secure Orion: 1.2.37, 2007-06-19
* F-Secure Pegasus: 1.19.0, 2007-05-15

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics

**********************************************************

Heres the combofix results.........

ComboFix 07-06-18.2 - C:\Documents and Settings\Stephen\Desktop\ComboFix.exe
"Stephen" - 2007-06-19 17:52:52 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\{70961~1
C:\Program Files\Common Files\{70961~1\system.dll
C:\Program Files\Common Files\{70961~1\Update.exe
C:\Program Files\Common Files\{70961~2
C:\Program Files\Common Files\{70961~2\system.dll
C:\Program Files\Common Files\{70961~2\Update.exe
C:\Program Files\MyGlobalSearch
C:\Program Files\MyGlobalSearch\bar\History\search
C:\Program Files\MyGlobalSearch\bar\Settings\settings.dat
C:\Program Files\MyGlobalSearch\bar\Settings\settings.dat.bak
C:\Program Files\MyGlobalSearch\bar\Settings\settings.htm
C:\Program Files\MyGlobalSearch\bar\Settings\settings.htm.bak
C:\Temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\unsvchosts.lzma

((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))

2007-06-19 17:52 49,152 --a

C:\WINDOWS\nircmd.exe
2007-06-19 12:28 <DIR> d

C:\DOCUME~1\Stephen\APPLIC~1\VideoEgg
2007-06-18 20:03 14,673 --a

C:\dnsbak.reg
2007-06-17 18:02 <DIR> d

C:\WINDOWS\pss
2007-06-16 15:58 <DIR> d

C:\DOCUME~1\Stephen\APPLIC~1\PC Suite
2007-06-14 18:02 <DIR> d

C:\WINDOWS\SxsCaPendDel
2007-06-14 17:46 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nokia
2007-06-14 17:34 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-06-14 17:31 <DIR> d

C:\Program Files\PC Connectivity Solution
2007-06-14 17:31 <DIR> d

C:\Program Files\Common Files\PCSuite
2007-06-14 17:31 <DIR> d

C:\Program Files\Common Files\Nokia
2007-06-14 17:30 <DIR> d

C:\Program Files\Nokia
2007-06-14 17:28 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-06-14 16:55 <DIR> d

C:\DOCUME~1\Kevin\APPLIC~1\Nokia Multimedia Player
2007-06-14 16:54 <DIR> d

C:\DOCUME~1\Kevin\Phone Browser
2007-06-14 16:54 <DIR> d

C:\DOCUME~1\Kevin\APPLIC~1\DataLayer
2007-06-14 16:47 <DIR> d

C:\DOCUME~1\Kevin\APPLIC~1\Nokia
2007-06-14 16:44 <DIR> d

C:\DOCUME~1\Kevin\APPLIC~1\PC Suite
2007-06-14 16:42 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Downloaded Installations
2007-06-10 21:38 <DIR> d

C:\Program Files\SpaceMonger
2007-06-04 20:53 3,840 --a

C:\WINDOWS\system32\drivers\BANTExt.sys
2007-06-04 20:53 <DIR> d

C:\Program Files\Belarc
2007-06-04 20:51 <DIR> d

C:\Program Files\CDBurnerXP Pro 3
2007-06-04 20:46 <DIR> d

C:\DOCUME~1\Stephen\APPLIC~1\foobar2000
2007-06-04 20:45 <DIR> d

C:\Program Files\foobar2000
2007-06-04 20:38 <DIR> d

C:\Program Files\EphPod
2007-05-23 15:34 <DIR> d

C:\Program Files\Sony
2007-05-23 15:33 <DIR> d

C:\Program Files\Sony Setup

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-19 10:59:43

d

w C:\Program Files\NoAdware
2007-06-17 17:40:33

d

w C:\Program Files\M-M JC Paper 1
2007-06-15 17:45:28 6,060 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-15 17:45:22 104 --sh--r C:\WINDOWS\system32\8EFB72C1C6.sys
2007-06-15 16:49:47

d--h--w C:\Program Files\InstallShield Installation Information
2007-06-14 16:32:37

d

w C:\Program Files\DIFX
2007-05-26 20:48:05

d

w C:\Program Files\Google
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-06 20:14:57

d

w C:\Program Files\Common Files\Sonic Shared
2007-05-06 20:14:46

d

w C:\Program Files\Roxio
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-20 10:37:46 831,048 ----a-w C:\WINDOWS\system32\WudfUpdate_01005.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-07 00:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 04:12]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 C:\WINDOWS\system32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 16:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [2006-08-07 15:39]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSPVideo9]
C:\Program Files\pspvideo9\pspVideo9.exe -t

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER

Contents of the 'Scheduled Tasks' folder
2007-03-07 19:46:18 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 17:54:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00000001-0000-1000-8000-0002ee000002}]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001105-0000-1000-8000-00805f9b34fb}]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]

Completion time: 2007-06-19 17:55:35
C:\ComboFix-quarantined-files.txt ... 2007-06-19 17:55

--- E O F ---

ActorSeeksJob · 19-06-2007 6:01pm

We nearly done, have removed a few nasty things. You can keep screensaver1 if you want, the name looked like it could be malware.

Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

This time it will work, so please delete these folders in bold

C:\Program Files\Common Files\{70961D1E-09DF-1033-0815-050416200161}
C:\Program Files\NoAdware

Go to this site:
http://www.virustotal.com/en/indexx.html
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\8EFB72C1C6.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

Finally, do this please

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

So in your next reply tell me how all that went, and post the results from that file I asked you to scan, and the Dr. Web CureIt report.

stevo86 · 19-06-2007 8:40pm

all went okay, went into safe mode and the files deleted okay.

heres the results from the first scan of the file......

Complete scanning result of "8EFB72C1C6.sys", received in VirusTotal at 06.19.2007, 21:03:05 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.19.2007 no virus found
AntiVir 7.4.0.34 06.19.2007 no virus found
Authentium 4.93.8 06.18.2007 no virus found
Avast 4.7.997.0 06.19.2007 no virus found
AVG 7.5.0.467 06.19.2007 no virus found
BitDefender 7.2 06.19.2007 no virus found
CAT-QuickHeal 9.00 06.19.2007 no virus found
ClamAV devel-20070416 06.19.2007 no virus found
DrWeb 4.33 06.19.2007 no virus found
eSafe 7.0.15.0 06.19.2007 no virus found
eTrust-Vet 30.7.3727 06.19.2007 no virus found
Ewido 4.0 06.19.2007 no virus found
FileAdvisor 1 06.19.2007 no virus found
Fortinet 2.91.0.0 06.19.2007 no virus found
F-Prot 4.3.2.48 06.18.2007 no virus found
F-Secure 6.70.13030.0 06.19.2007 no virus found
Ikarus T3.1.1.8 06.19.2007 no virus found
Kaspersky 4.0.2.24 06.19.2007 no virus found
McAfee 5056 06.19.2007 no virus found
Microsoft 1.2607 06.19.2007 no virus found
NOD32v2 2338 06.19.2007 no virus found
Norman 5.80.02 06.19.2007 no virus found
Panda 9.0.0.4 06.19.2007 no virus found
Prevx1 V2 06.19.2007 no virus found
Sophos 4.18.0 06.12.2007 no virus found
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.19.2007 no virus found
TheHacker 6.1.6.134 06.18.2007 no virus found

and the Dr. Web CureIt report.........

VVSNInst.exe;C:\Documents and Settings\Kevin\Local Settings\Temp;Adware.SaveNow;;
ZGO.0XE;C:\Documents and Settings\Kevin\Local Settings\Temp;Win32.HLLW.Generic.198;Deleted.;
Process.exe;C:\Documents and Settings\Stephen\Desktop\Fix it!!!!!\SDFix\apps;Tool.Prockill;;
GTDownDE_87.ocx;C:\i386;Adware.Gdown;;
npclntax.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Zango;;
system.dll.vir;C:\QooBox\Quarantine\C\Program Files\Common Files\{70961~1;Trojan.DownLoader.19109;Deleted.;
Update.exe.vir;C:\QooBox\Quarantine\C\Program Files\Common Files\{70961~1;Trojan.DownLoader.17040;Deleted.;
system.dll.vir;C:\QooBox\Quarantine\C\Program Files\Common Files\{70961~2;Trojan.DownLoader.19109;Deleted.;
Update.exe.vir;C:\QooBox\Quarantine\C\Program Files\Common Files\{70961~2;Trojan.DownLoader.17040;Deleted.;
core.sys.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers;Trojan.NtRootKit.239;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc1;Trojan.DownLoader.19109;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-18\Dc1;Trojan.DownLoader.17040;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc2;Trojan.DownLoader.19109;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-18\Dc2;Trojan.DownLoader.17040;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc3;Trojan.DownLoader.19109;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-18\Dc3;Trojan.DownLoader.17040;Deleted.;
ipwins.dll;C:\RECYCLER\S-1-5-21-1473694918-1568910705-1382658553-1008\Dc9;Trojan.Rond;Deleted.;
ipwins.exe;C:\RECYCLER\S-1-5-21-1473694918-1568910705-1382658553-1008\Dc9;Trojan.Rond;Deleted.;
UnInstall.exe;C:\RECYCLER\S-1-5-21-1473694918-1568910705-1382658553-1008\Dc9;Trojan.Rond;Deleted.;
ipwins.dll;C:\RECYCLER\S-1-5-21-1473694918-1568910705-1382658553-1009\Dc4;Trojan.Rond;Deleted.;
ipwins.exe;C:\RECYCLER\S-1-5-21-1473694918-1568910705-1382658553-1009\Dc4;Trojan.Rond;Deleted.;
ipwins.dll;C:\RECYCLER\S-1-5-21-1473694918-1568910705-1382658553-1009\Dc6;Trojan.Rond;Deleted.;
ipwins.exe;C:\RECYCLER\S-1-5-21-1473694918-1568910705-1382658553-1009\Dc6;Trojan.Rond;Deleted.;
UnInstall.exe;C:\RECYCLER\S-1-5-21-1473694918-1568910705-1382658553-1009\Dc6;Trojan.Rond;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0036785.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP175;Adware.Maxifiles;;
A0036786.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP175;Adware.Maxifiles;;
A0036960.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Trojan.Rond;Deleted.;
A0036961.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Trojan.Rond;Deleted.;
A0036962.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177;Trojan.Rond;Deleted.;
A0037081.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP178;Trojan.Rond;Deleted.;
A0037082.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP178;Trojan.Rond;Deleted.;
A0037083.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP178;Trojan.Rond;Deleted.;
A0037360.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP179;Trojan.Rond;Deleted.;
A0037361.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP179;Trojan.Rond;Deleted.;
A0037362.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP179;Trojan.Rond;Deleted.;
A0039743.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP182;Trojan.Rond;Deleted.;
A0039744.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP182;Trojan.Rond;Deleted.;
A0039745.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP182;Trojan.Rond;Deleted.;
A0041372.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP187;Trojan.Rond;Deleted.;
A0041373.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP187;Trojan.Rond;Deleted.;
A0041374.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP187;Trojan.Rond;Deleted.;
A0041854.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP194;Trojan.Rond;Deleted.;
A0041855.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP194;Trojan.Rond;Deleted.;
A0041856.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP194;Trojan.Rond;Deleted.;
A0041857.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP194;Trojan.Rond;Deleted.;
A0041858.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP194;Trojan.Rond;Deleted.;
A0041859.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP194;Trojan.Rond;Deleted.;
A0042993.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP195;Trojan.Rond;Deleted.;
A0042994.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP195;Trojan.Rond;Deleted.;
A0042995.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP195;Trojan.Rond;Deleted.;
A0044151.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP200;Trojan.Rond;Deleted.;
A0044152.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP200;Trojan.Rond;Deleted.;
A0044153.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP200;Trojan.Rond;Deleted.;
A0044401.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP202;Trojan.Rond;Deleted.;
A0044402.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP202;Trojan.Rond;Deleted.;
A0044403.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP202;Trojan.Rond;Deleted.;
A0044755.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205;Trojan.Rond;Deleted.;
A0044765.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205;Trojan.Rond;Deleted.;
A0044766.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205;Trojan.Rond;Deleted.;
A0044767.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205;Trojan.Rond;Deleted.;
A0047658.DLL;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP217;Adware.Msearch;;
A0047660.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP217;Adware.Msearch;;
A0048673.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Adware.IWantSearch;;
A0048674.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Adware.IWantSearch;;
A0048688.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.Rond;Deleted.;
A0048689.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.Rond;Deleted.;
A0048690.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.DownLoader.19109;Deleted.;
A0048691.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.DownLoader.17040;Deleted.;
A0048692.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.DownLoader.19109;Deleted.;
A0048693.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.DownLoader.17040;Deleted.;
A0048695.sys;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.NtRootKit.239;Deleted.;
A0048728.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.DownLoader.19109;Deleted.;
A0048729.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.DownLoader.17040;Deleted.;
A0048730.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.DownLoader.19109;Deleted.;
A0048731.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.DownLoader.17040;Deleted.;
A0048732.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.DownLoader.19109;Deleted.;
A0048733.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.DownLoader.17040;Deleted.;
A0048734.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.Rond;Deleted.;
A0048735.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.Rond;Deleted.;
A0048736.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.Rond;Deleted.;
A0048737.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.Rond;Deleted.;
A0048738.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.Rond;Deleted.;
A0048739.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.Rond;Deleted.;
A0048740.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.Rond;Deleted.;
A0048741.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223;Trojan.Rond;Deleted.;
actskn45.ocx;C:\WINDOWS\system32;Trojan.Isbar.439;Deleted.;

VBA32 3.12.0.2 06.19.2007 no virus found
VirusBuster 4.3.23:9 06.19.2007 no virus found
Webwasher-Gateway 6.0.1 06.19.2007 no viru

ActorSeeksJob · 19-06-2007 9:44pm

Ok your PC is looking great! Just a few small maintenance things then we can send you on your way.

We need to make a new clean System Restore Point :

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html

Your PC was pretty badly infected when you first posted. I recommend getting rid of McAfee from your PC as it is a really bad protection program, and it isn't free. So please go here and download and run the Uninstallation Tool(McAfee is so bad that it doesn't even uninstall off your PC properly). I will recommend far better Security programs that you should use.

Below I have included a number of recommendations for how to protect your
computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all

* SpywareGuard offers realtime protection from spyware installation attempts.

* I recommend the following anti-spyware programs to protect yourself against spyware, make sure you only use one real-time anti-spyware protection program though :
AVG anti-spyware
Spybot - Search and Destroy
Ad-Aware SE Personal

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Some good free firewalls are ZoneAlarm, Comodo, or
Outpost
Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.

* You should also consider changing your anti-virus protection considering how badly infected your pc was. Here are some good programs, make sure you only use one though :
AVG makes an excellent free antivirus client, as do AntiVir or avast!.

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

stevo86 · 20-06-2007 1:19pm

I installed some of the programmes u recommended, thanks again for all your help!

_feedback_ · 09-09-2007 12:36pm

Hi ActorSeeksJob...

I am having similar problems and would really appreciate your help! I have done the Hijackthis scan and this is what it gave me :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:35:40, on 09/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Fast.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\fast.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\{D8896466-0710-2057-0624-05110304002c}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\PROGRA~1\RXTOOL~1\sfcont.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38896~1\Bar888.dll
O2 - BHO: (no name) - {D14641FA-445B-448E-9994-209F7AF15641} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38896~1\Bar888.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Policies\Explorer\Run: [{D8896466-0710-2057-0624-05110304002c}] "C:\Program Files\Common Files\{D8896466-0710-2057-0624-05110304002c}\Update.exe" mc-110-12-0000140
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{D8896466-0710-2057-0624-05110304002c}] "C:\Program Files\Common Files\{D8896466-0710-2057-0624-05110304002c}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{D8896466-0710-2057-0624-05110304002c}] "C:\Program Files\Common Files\{D8896466-0710-2057-0624-05110304002c}\Update.exe" mc-110-12-0000140 (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\PROGRA~1\RXTOOL~1\sfcont.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

annoying window pop up!!

Comments