1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Infostealer.gampass virus...can't get rid of it

Discussion in 'Malware and Virus Removal Archive' started by bobkosu2121, 2007/04/29.

  1. 2007/04/29
    bobkosu2121

    bobkosu2121 Inactive Thread Starter

    Joined:
    2007/04/29
    Messages:
    15
    Likes Received:
    0
    My computer recently got infected by a Infostealer.gampass virus. I consider myself a beginner when it comes to computers. I have ran many anti-virus programs and adware programs, but nothing seems to work. Here is my Hijack this log. Could someone please help me out. Thanks.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:15:09 PM, on 4/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Documents and Settings\Bobby\My Documents\Unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://dhcp.indiana.edu/cgi-bin/getconnected?a=+))-&)1&+-x*/3.)3,,Su?Zeex+))-x@^mx<hgg^\m^]x<=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - Default URLSearchHook is missing
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146342036\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe "
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124162596781
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)
     
  2. 2007/04/30
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi and welcome,

    You know where you got this infection?
    If you know the site you hit can you PM me it please? Don't post it here please.
    This log looks OK so I'll need another log(s) to have a better look at your system.

    Systemscan:

    Download systemscan from here:

    http://www.suspectfile.com/systemscan

    You will need to bypass your popup blocker by holding the ctrl key down when clicking link.
    File name will be semi-random like sys12256.exe
    Save file to desktop.
    Link will re-direct you to a "guide" page. this will show you what kind of warnings you may get from firewall or AV.
    It will also brief you on what these warnings are about & what to expect.

    Once you get the file; double click it to run scan.
    Leave settings as is and click "scan now "
    It will take a while so please be patient.
    Once done it will show log. You can close this log.
    Log is located here:
    C:\suspectfile\report.txt
    Please upload it here:

    http://www.bleepingcomputer.com/submit-malware.php?channel=19

    Include link to this thread so I know who's log it is.

    next:

    Using Internet Explorer please do an online scan with Kaspersky Online Scanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:
        • Extended (If available otherwise Standard)
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
    • Click OK
    • Now under select a target to scan select My Computer
    • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save report button.
    • Call it Kaspersky.txt
    • Expand the arrow beside "file types" and save as .txt file.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.


    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

    *Note2
    If you have Internet Explorer 7 installed:
    If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
    Page will reload and you should be able to carry on scan.

    If log is too big to post here you can upload it to the above link where you uploaded report.txt.

    Thanks :)

    --------------------------

    I notice also you have 2 antivirus installed.
    Avast & Norton.
    Not recommended to run 2 AV programs because of conflicts.
    I recommend you uninstall one of them.
     

  3. to hide this advert.

  4. 2007/04/30
    bobkosu2121

    bobkosu2121 Inactive Thread Starter

    Joined:
    2007/04/29
    Messages:
    15
    Likes Received:
    0
    I uploaded both of the reports to the bleeping computer website. Also, I am unable to uninstall or run symantec antivirus...is this a problem? I am currently using AVG instead. Thanks.
     
  5. 2007/04/30
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    It will take me a bit to read your logs you uploaded for me.
    What errors do you get when you try to uninstall Norton?
    What version is your Norton please?

    Problems I see with both installed is instability and conflicts. It might uninstall better when we remove your malware.
    Once I know the version I can link you to their uninstall tool.

    See you in a bit. :)
     
  6. 2007/04/30
    bobkosu2121

    bobkosu2121 Inactive Thread Starter

    Joined:
    2007/04/29
    Messages:
    15
    Likes Received:
    0
    I belive that I have AntiVirus CE 10.1.5.5000 for 32-bit Windows XP for my anitvirus version. It won't let me open it up when I double click it...an hour glass shows up and then nothing ever happens. But sometimes it does show up just way later. When I try to uninstall it from the add/remove programs menu, it says gathering information and then shows how much longer is left. Then for some reason, it messes up and a box says fatal error during installation.
     
  7. 2007/05/01
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    TRojan Agent.AWF is what I see going on here.
    Many of your startup programs have been replaced with trojaned versions.
    These will all have to be replaced along with fixing other damage that has been done.
    I believe your AVG got most of it. More a matter of getting the backups put where they belong.
    I imagine several other apps don't work either ATM.

    Download http://noahdfear.geekstogo.com/FindAWF.exe and save it to the desktop.
    Double click it to run.
    Post the log it creates please.

    While waiting for me to get back to see the other log please download the following programs to desktop but don't do anything with them yet:

    http://www.mvps.org/winhelp2002/DelDomains.inf

    http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

    If your ATF-Cleaner is recent (within the last month or so) you can keep that as is - otherwise grab the new one please:

    http://www.atribune.org/ccount/click.php?id=1

    Thanks :)

    *reminder for me: "Java "
     
  8. 2007/05/01
    bobkosu2121

    bobkosu2121 Inactive Thread Starter

    Joined:
    2007/04/29
    Messages:
    15
    Likes Received:
    0
    Here is the awf report.



    Find AWF report by noahdfear ©2006


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\DELL\BAK

    0 File(s) 0 bytes

    Directory of C:\WINDOWS\BAK

    05/11/2000 01:00 AM 90,112 UpdReg.EXE
    1 File(s) 90,112 bytes

    Directory of C:\PROGRA~1\ITUNES\BAK

    10/18/2005 11:58 AM 278,528 iTunesHelper.exe
    1 File(s) 278,528 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    11/01/2005 08:36 PM 155,648 qttask.exe
    1 File(s) 155,648 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/14/2002 06:22 PM 28,672 DSentry.exe
    1 File(s) 28,672 bytes

    Directory of C:\PROGRA~1\PURENE~1\PORTMA~1\BAK

    05/07/2004 04:54 PM 99,480 PortAOL.exe
    1 File(s) 99,480 bytes

    Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

    04/04/2005 10:25 PM 26,112 RealPlay.exe
    1 File(s) 26,112 bytes

    Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

    03/30/2006 03:45 PM 313,472 AdobeUpdateManager.exe
    1 File(s) 313,472 bytes

    Directory of C:\PROGRA~1\CREATIVE\SBLIVE\DIAGNO~1\BAK

    04/03/2002 01:01 AM 135,264 diagent.exe
    1 File(s) 135,264 bytes

    Directory of C:\PROGRA~1\JAVA\J2RE14~3.2_0\BIN\BAK

    09/28/2004 08:26 PM 32,881 jusched.exe
    1 File(s) 32,881 bytes


    12/17/2002 12:28 PM 684,032 DirectCD.exe
    1 File(s) 684,032 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE "
    278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe "
    155648 Nov 1 2005 "C:\Program Files\QuickTime\bak\qttask.exe "
    28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe "
    99480 May 7 2004 "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe "
    26112 Apr 4 2005 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe "
    313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe "
    135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe "
    32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe "
    32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe "
    36975 Mar 4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe "
    32881 Sep 28 2004 "C:\Program Files\Java\j2re1.4.2_06\bin\bak\jusched.exe "
    684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe "


    end of report
     
  9. 2007/05/01
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Please print out or save these instructions to notepad. Much of the fix needs to ahve IE closed.

    Click start> run> type notepad.exe and hit enter.
    Notepad opens...
    Click the "format" menu and make sure "wordwrap" is OFF (unchecked)
    Copy the following text inside the code box and paste it into the open notepad window.

    Code:
    @echo off
    if exist C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe del /q C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    copy /y C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    if exist C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe del /q C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    copy /y C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    if exist C:\Program Files\iTunes\iTunesHelper.exe del /q C:\Program Files\iTunes\iTunesHelper.exe
    copy /y C:\Program Files\iTunes\bak\iTunesHelper.exe C:\Program Files\iTunes\iTunesHelper.exe
    if exist C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe del /q C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    copy /y C:\Program Files\Java\j2re1.4.2_06\bin\bak\jusched.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    if exist C:\Program Files\Pure Networks\Port Magic\PortAOL.exe del /q C:\Program Files\Pure Networks\Port Magic\PortAOL.exe
    copy /y C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe C:\Program Files\Pure Networks\Port Magic\PortAOL.exe
    if exist C:\Program Files\QuickTime\qttask.exe del /q C:\Program Files\QuickTime\qttask.exe
    copy /y C:\Program Files\QuickTime\bak\qttask.exe C:\Program Files\QuickTime\qttask.exe
    if exist C:\Program Files\Real\RealPlayer\RealPlay.exe del /q C:\Program Files\Real\RealPlayer\RealPlay.exe
    copy /y C:\Program Files\Real\RealPlayer\bak\RealPlay.exe C:\Program Files\Real\RealPlayer\RealPlay.exe
    if exist C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe del /q C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    copy /y C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    if exist C:\WINDOWS\UpdReg.EXE del /q C:\WINDOWS\UpdReg.EXE
    copy /y C:\WINDOWS\bak\UpdReg.EXE C:\WINDOWS\UpdReg.EXE
    if exist C:\WINDOWS\SYSTEM32\DSentry.exe del /q C:\WINDOWS\SYSTEM32\DSentry.exe
    copy /y C:\WINDOWS\SYSTEM32\bak\DSentry.exe C:\WINDOWS\SYSTEM32\DSentry.exe
    
    
    click "file "
    click "save as.... "
    In file name section type: fixawf.bat
    Use the pulldown arrow beside "file types" to change file types to All Files (*)
    Save it to the deskktop.

    -------------

    1.) Close all open browser windows.

    2.) Open ATF-Cleaner
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache

    The rest are optional - if you want to remove the lot, check "Select All ".
    Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

    If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

    When you have finished, click on the Exit button in the Main menu.

    3.) Right click deldomains.inf and choose install
    You won't see much happening cept the curser will flicker a sec.
    This deletes domains from trusted zone in IE.

    4.) Right click ResetProtocolDefaults.reg and choose merge.
    Answer yes when asked if you want to add it to registry.
    Should get success messege.
    This resets the proper IE security settings.

    5.) Locate fixawf.bat you just saved, and double click it.
    A "dos" box will flash up briefly then dissapear. Normal.
    This replaces the missing files your AV deleted as a result of AWF trojan.

    6.) Reboot computer.

    If you had IE-Spyad or SpywareBlaster installed you will need to re-install IE-Spyad and Re-do SpywareBlaster's protection because the above fix removed those protections along with the bad domains that may have been present.
    If these apps are not installed... no worries.

    7.) Open Hijackthis
    Click "open misc tools menu "
    Click "open uninstall manager "
    Click "save list... "
    Save the list and post results here.

    -------------------

    Question..

    Did you set a policy on your computer to make it not save Passwords to .NET accounts? (such as MSN)

    Thanks :)
     
  10. 2007/05/01
    bobkosu2121

    bobkosu2121 Inactive Thread Starter

    Joined:
    2007/04/29
    Messages:
    15
    Likes Received:
    0
    I don't know if I have IE-Spywar or Spyblaster installed and here is the uninstall list.

    Ad-Aware SE Plus
    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Reader 7.0.8
    AIM 6.0
    AOL Uninstaller (Choose which Products to Remove)
    AVG Anti-Spyware 7.5
    CambridgeSoft ChemOffice Ultra 2006
    CambridgeSoft Inventory 10.0
    Compact Wireless-G USB Adapter
    Conexant SmartHSFi V92 56K DF PCI Modem
    Dell Solution Center
    Digital Line Detect
    DivX
    DivX Converter
    DivX Player
    DivX Web Player
    DVDSentry
    Easy CD Creator 5 Basic
    Get Connected CD
    HijackThis 1.99.1
    HP Deskjet 3740
    HP Software Update
    Intel (R) Pro Alerting Agent
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet
    iPod for Windows 2005-03-23
    iPod for Windows 2006-03-23
    iTunes
    J2SE Runtime Environment 5.0 Update 2
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_05
    Java 2 Runtime Environment, SE v1.4.2_06
    Kaspersky Online Scanner
    LimeWire 4.9.37
    LiveUpdate 3.1 (Symantec Corporation)
    Macromedia Flash Player 8
    Macromedia Shockwave Player
    Microsoft .NET Framework 1.1
    Microsoft Office Professional Edition 2003
    Microsoft SQL Server Desktop Engine (CAMBRIDGESOFT)
    Modem Helper
    MSN Music Assistant
    NetWaiting
    NVIDIA Windows 2000/XP Display Drivers
    PowerDVD
    Pure Networks Port Magic
    QuickTime
    RealPlayer Basic
    Samsung YP-N30
    Sound Blaster Live!
    Spybot - Search & Destroy 1.4
    Starcraft
    Symantec AntiVirus
    Weather Services
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Service Pack 2
    WinRAR archiver
    WinZip
     
  11. 2007/05/01
    bobkosu2121

    bobkosu2121 Inactive Thread Starter

    Joined:
    2007/04/29
    Messages:
    15
    Likes Received:
    0
    So did that get rid of the virus or do I still have to do more steps?
     
  12. 2007/05/03
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Sorry for delay.
    Can you do anything with Symantec? Will it run?

    Can I see a fresh hijackthis log please.

    Thanks :)
     
  13. 2007/05/03
    bobkosu2121

    bobkosu2121 Inactive Thread Starter

    Joined:
    2007/04/29
    Messages:
    15
    Likes Received:
    0
    Symantec will work but very slowly. Sometimes it will say it is not responding and I have to click end now. Here is the highjackthis log.

    Logfile of HijackThis v1.99.1
    Scan saved at 1:53:07 PM, on 5/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Bobby\My Documents\Unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://dhcp.indiana.edu/cgi-bin/getconnected?a=+))-&)1&+-x*/3.)3,,Su?Zeex+))-x@^mx<hgg^\m^]x<=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - Default URLSearchHook is missing
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146342036\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe "
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124162596781
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)
     
  14. 2007/05/03
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Check to see if Symantec will work better with AVG antispyware turned off please.

    Open AVG
    In the main window under "your security" click "change start" for both the automatic updates and Resident Shield.
    They both should turn red.
    Close AVG.
    Right click AVG by the clock and uncheck "start with windows ".

    After reboot it shouldn't start.
    You can still run it manually to check for updates and scan/clean.

    Are your other apps working ok?

    Quicktime, iTunes, real player, webshots, AIM, etc?

    Start Hijackthis
    Run system scan and check:

    R3 - Default URLSearchHook is missing
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab


    Close all open windows and click "fix checked "

    Exit Hijackthis.

    You have several versions of old Java that are open to exploit.
    I recommend uninstalling them and installing the new version.

    New version can be downloaded here:

    http://java.sun.com/javase/downloads/index.jsp

    Java Runtime Environment (JRE) 6u1

    Unless you need to develop Java programs the above one should be fine.

    You will need to accept agreement after clicking download button to get the download.

    Once saved....

    Uninstall these Java from add/remove programs:

    J2SE Runtime Environment 5.0 Update 2
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_05
    Java 2 Runtime Environment, SE v1.4.2_06

    Reboot when done.

    Install the new Java you just downloaded.

    Post a fresh hijackthis log please.

    ------------------

    Do you still have the Symantec CD or the Install file?
    I'd like to try doing a repair install on it.

    If you run the installer either the one you downloaded or off the CD you should get option to Install, Repair or Uninstall.

    If you want to keep Symantec then choose Repair.
    If repair goes well then after reboot you will need to re-do your updates again.

    Let me know if this goes OK.

    Thanks :)
     
  15. 2007/05/03
    bobkosu2121

    bobkosu2121 Inactive Thread Starter

    Joined:
    2007/04/29
    Messages:
    15
    Likes Received:
    0
    After disableing AVG antivirus and rebooting. Symantec still would work, it just took awhile for it to open. It seems like I would click and it would do nothing, but it eventually came up. My apps seem to be working fine as well. Then I did a repair on symantec by redownloading the file and clicked repair and rebooted and updated again. I was wondering what type of programs I should keep on my computer for protection. I normally had Symantec antivirus, Spybot, and Adware. I have never had any real problems until this one. Would you recommend a better set up with different programs...I have no opinion either way. I was also wondering if a program like motzilla is better than internet explorer, or is that just a matter of opinion? Here is the hijackthis log.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:32:49 PM, on 5/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Bobby\My Documents\Unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://dhcp.indiana.edu/cgi-bin/getconnected?a=+))-&)1&+-x*/3.)3,,Su?Zeex+))-x@^mx<hgg^\m^]x<=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146342036\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe "
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124162596781
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)
     
  16. 2007/05/06
    bobkosu2121

    bobkosu2121 Inactive Thread Starter

    Joined:
    2007/04/29
    Messages:
    15
    Likes Received:
    0
    So did my Highjackthis log look clean?
     
  17. 2007/05/06
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Sorry for leaving you hanging..

    Hijackthis log looks OK.

    Did the repair help Norton at all?
    Newer versions of Norton take ALOT of memory. How is your system set for memory?
    Pretty good processor and fair bit of RAM?

    Protections...

    Ad-Aware & Spybot S & D are fine along with your Norton.
    AVG antispyware will do fine as well for manual scans. Even though the resident protection quits after 30 days it is still a good scanner/cleaner and you can manually update it.

    Personally I don't like norton because it is such a system hog.
    There are a few other free alternative antivirus programs that work as well as Norton.

    Avast:
    http://www.avast.com/eng/avast_4_home.html

    AVG:
    http://free.grisoft.com/doc/1

    AntiVir:
    http://www.free-av.com/antivirus/allinonen.html

    If yiou decide on one of these make sure Norton is uninstalled before installing.

    If looking for a light weight "pay for" antivirus...
    I like NOD32.

    http://www.eset.com/download/index.php

    They do have a 30 day trial.

    Other protection I use & recommend..

    SpywareBlaster.
    this prog blocks known bad activex controls, many tracking cookies and puts many bad sites in restricted zone for IE.
    Install> update> enable all protection.
    Updates are about once a month and is free.
    Info & download here:

    http://www.javacoolsoftware.com/spywareblaster.html

    A 3rd party firewall is recommended.
    Windows XP has its own but outgoing protection control is not that good.
    If you decide to install one of these firewalls do make sure the XP one is off to avoid conflicts.

    Personally I use Zone alarm but there are several to choose from:

    Zone Alarm:
    http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

    Outpost:
    http://www.agnitum.com/products/outpostfree/download.php

    Comodo:
    http://www.personalfirewall.comodo.com/

    Sunbelt kerio:
    http://www.sunbelt-software.com/Kerio.cfm

    Understanding and using firewalls:
    http://www.bleepingcomputer.com/tutorials/tutorial60.html

    You mentioned FireFox.

    Definately a good addition. We recommend it all the time for day-to-day surfing. I can't say it is better as that is a matter of opinion but I can say in many respects it is safer.
    FF does not use/support ActiveX which makes it safer.
    Many people primarily use FF and only use IE where necessary for updates to Windows and other sites that use ActiveX.

    Several other good programs/tips at the following sites to help keep you clean:

    http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I
    http://boards.cexx.org/index.php?topic=957
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml
    http://temerc.com/hddncounttuts.html
     
  18. 2007/05/06
    bobkosu2121

    bobkosu2121 Inactive Thread Starter

    Joined:
    2007/04/29
    Messages:
    15
    Likes Received:
    0
    After the repair, symantec was still running slow; but I was able to at least uninstall it this time. I think my computer has a decent amount of memory and pentium 4 for a processor. Now I have AVG, Avast, Ad-ware, Spybot, adn zone alarm. I downloaded spyblaster, but I was unable to install it due to an error. It said it was searching Microsoft Office Professional edition 2003 and said it could not find the file SKU111.CAB and asked for me to locate it or put in the Office CD, which I do not have.
     
  19. 2007/05/08
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Are all your Office apps working properly?

    The office install prompt when trying to install spywareblaster seems to point to corrupt office.

    http://www.javacoolsoftware.info/kb/idx/7/064/article/

    If you bought the Office CD you should be able to order a replacement here:

    http://support.microsoft.com/kb/302822/en-us

    I don't know how much it will cost but there is 1-800 numbers there you can call to find out.

    Other possibilities is to start at Method 2 here to resolve issue:

    http://support.microsoft.com/kb/875556/

    Let me know if any of the suggestions worked.

    Blender
     
  20. 2007/05/08
    bobkosu2121

    bobkosu2121 Inactive Thread Starter

    Joined:
    2007/04/29
    Messages:
    15
    Likes Received:
    0
    I choose to uninstall Microsoft Office 2003 and then install spyware blaster, which worked. Next, I installed Microsoft Office 2007. Overall, my computer seems to run a little bit slower than it used to. I'm not sure if that is because I have installed all of the anti-virus and adware programs or what. Another question I had is, is it safe for firefox to remember passwords or is there a way trojans or whatever can steal them?
     
  21. 2007/05/08
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Glad you got the office/SpywareBlaster issue resolved.

    Can I see a fresh hijackthis log please?

    Also lets have a look at a complete startup list please.
    Open Hijackthis
    Open misc tools section
    check both options beside "generate hijackthis log" and generate the log.
    Post results.
    It will take a couple posts to get both logs in.

    Thanks :)

    If you have AVG running resident it can slow the system a fair bit. I think you had shut this off already though. Correct?

    If using the "pro" version of Zone Alarm it has an antispyware component within it. I disabled mine from within options. (good idea if running ad-aware or Spybot resident)

    Password stealers can "grab" saved passwords from anywhere. IE is most typical but it is possible to get them from Firefox password cache as well.

    Using safe surf practices, keeping the OS and security up to date is the best defences against such malicious activity.
    I myself won't use my computer for Credit Card/banking stuff.

    Blender
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.