Sign in to follow this  
Will Hummel

ClickSpring.PurityScan and other problem programs

Recommended Posts

Hello everyone! I'm new to the forum and I am in need of some help.

 

Alright, Monday evening I happened to download a file which seemed to be full of spyware, malware, and viruses. Now my dad and I have been working on this all week trying to remove this crap. Basically we've removed a lot of the problems. Like Bar888, fake virus alerts which tried to get us to install WinAntiVirus Pro 2006 and some other programs, pop ups without the internet being used and all sorts of things mainly which hijacked internet explorer, random ads coming on, redirecting websites, and all sorts of nightmares. We've managed to get rid of a lot of things and we even managed to control IE a little bit, however Windows Defender still pops up when I log on saying that ClickSpring is still trying to work. Every time we access IE we get the same message again and again only to remove it and watch it come right back on within minutes and we still sometimes get redirecting websites.

 

Now we need to know how to fully remove this crap from our computer. Here is a HijackThis log.

 

Logfile of HijackThis v1.99.1

Scan saved at 11:30:08 AM, on 12/22/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\William\APPLIC~1\CROSOF~1.NET\cmd.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\Documents and Settings\William\Desktop\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {B1F548E1-AA53-8484-7001-8E1A72C95B9D} - C:\WINDOWS\system32\tjpgqal.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\blcdaevi.dll

O2 - BHO: (no name) - {948F9771-67D8-46D7-B032-833FF87DA864} - C:\WINDOWS\system32\fcyww.dll (file missing)

O2 - BHO: (no name) - {98C2962E-495B-49EC-B08B-E7D15A27A983} - C:\WINDOWS\system32\geecd.dll (file missing)

O2 - BHO: (no name) - {B1F548E1-AA53-8484-7001-8E1A72C95B9D} - C:\WINDOWS\system32\tjpgqal.dll

O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\system32\ixt0.dll (file missing)

O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Rcio] "C:\DOCUME~1\William\APPLIC~1\CROSOF~1.NET\cmd.exe" -vt ndrv

O4 - HKCU\..\Run: [Ycgvd] C:\WINDOWS\system32\??mbols\ati2evxx.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1152117739035

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152117691397

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

 

Thanks!

Share this post


Link to post
Share on other sites

Hello everyone! I'm new to the forum and I am in need of some help.

 

Alright, Monday evening I happened to download a file which seemed to be full of spyware, malware, and viruses. Now my dad and I have been working on this all week trying to remove this crap. Basically we've removed a lot of the problems. Like Bar888, fake virus alerts which tried to get us to install WinAntiVirus Pro 2006 and some other programs, pop ups without the internet being used and all sorts of things mainly which hijacked internet explorer, random ads coming on, redirecting websites, and all sorts of nightmares. We've managed to get rid of a lot of things and we even managed to control IE a little bit, however Windows Defender still pops up when I log on saying that ClickSpring is still trying to work. Every time we access IE we get the same message again and again only to remove it and watch it come right back on within minutes and we still sometimes get redirecting websites.

 

Now we need to know how to fully remove this crap from our computer. Here is a HijackThis log.

 

Logfile of HijackThis v1.99.1

Scan saved at 11:30:08 AM, on 12/22/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\William\APPLIC~1\CROSOF~1.NET\cmd.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\Documents and Settings\William\Desktop\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {B1F548E1-AA53-8484-7001-8E1A72C95B9D} - C:\WINDOWS\system32\tjpgqal.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\blcdaevi.dll

O2 - BHO: (no name) - {948F9771-67D8-46D7-B032-833FF87DA864} - C:\WINDOWS\system32\fcyww.dll (file missing)

O2 - BHO: (no name) - {98C2962E-495B-49EC-B08B-E7D15A27A983} - C:\WINDOWS\system32\geecd.dll (file missing)

O2 - BHO: (no name) - {B1F548E1-AA53-8484-7001-8E1A72C95B9D} - C:\WINDOWS\system32\tjpgqal.dll

O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\system32\ixt0.dll (file missing)

O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Rcio] "C:\DOCUME~1\William\APPLIC~1\CROSOF~1.NET\cmd.exe" -vt ndrv

O4 - HKCU\..\Run: [Ycgvd] C:\WINDOWS\system32\??mbols\ati2evxx.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1152117739035

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152117691397

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

 

Thanks!

Share this post


Link to post
Share on other sites

Hello,Will Hummel & Welcome

 

 

Please we ask that everyone have a look at the two links in the quote box at the bottom

of my page.go there do as is asked of you then come back here with a new HijackThis logfile.

 

Gogo :)

Share this post


Link to post
Share on other sites

My apologies. If you can tell this malware, spyware, virus crap has kind of made me just want to get rid of it ASAP. Thanks I read your two links and did exactly what they said. I opened Ad Adware and got the latest definitions. Then I did a full system scan and it found 39 objects and I removed them. Then I ran it once more and it found nothing. Then I went straight to HijackThis and did a scan. Here are the results.

 

Logfile of HijackThis v1.99.1

Scan saved at 3:02:35 PM, on 12/22/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\William\APPLIC~1\CROSOF~1.NET\cmd.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\William\Desktop\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {B1F548E1-AA53-8484-7001-8E1A72C95B9D} - C:\WINDOWS\system32\tjpgqal.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\blcdaevi.dll (file missing)

O2 - BHO: (no name) - {948F9771-67D8-46D7-B032-833FF87DA864} - C:\WINDOWS\system32\fcyww.dll (file missing)

O2 - BHO: (no name) - {98C2962E-495B-49EC-B08B-E7D15A27A983} - C:\WINDOWS\system32\geecd.dll (file missing)

O2 - BHO: (no name) - {B1F548E1-AA53-8484-7001-8E1A72C95B9D} - C:\WINDOWS\system32\tjpgqal.dll

O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\system32\ixt0.dll (file missing)

O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Rcio] "C:\DOCUME~1\William\APPLIC~1\CROSOF~1.NET\cmd.exe" -vt ndrv

O4 - HKCU\..\Run: [Ycgvd] C:\WINDOWS\system32\??mbols\ati2evxx.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152117739035

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152117691397

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

 

Thanks HJThis, I look forward to your reply!

Share this post


Link to post
Share on other sites

Hi,Will Hummel

 

• Uninstall the following programs if present

- Go to Start > Control Panel > Add/Remove Programs

- Select the following, one at a time, and click Remove for each one

Oin

Yazzle by Oin

Purityscan by Oin

Snowballwars by Oin

Cowabanga by OIN

or anything similar with Oin in it

 

If OIN not listed, download and run this uninstaller

http://www.outerinfo.com/OiUninstaller.exe

 

Reboot when done! Really important!

 

 

Next

 

Download and Install AVG Anti-Spyware© by Grisoft

 

Launch AVG Anti-Spyware, there should be an icon on your desktop double-click it.

The program will now go to the main screen

You will need to update AVG Anti-Spyware to the latest definition files.

On the main screen select the icon Update then select the Update now link

Next select the Start Update button, the update will start and a progress bar will show the updates being installed.

Close AVG Anti-Spyware

( Do not run just YET )

 

 

Download SmitfraudFix (by S!Ri) to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

( Do not run just YET )

 

 

Please print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.

 

Reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

 

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

When back in Normal Mode, click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

 

 

Now

 

Run AVG Anti-Spyware

Click on Scanner at top

Click on Settings

Once in the Settings screen click on Recommended actions and then select Quarantine

Under Reports, Select Automatically generate report after every scan

Un-Select Only if threats were found

Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan

AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time

Once the scan is complete do the following :

If you have any infections you will prompted, then select Apply all actions

Next select the Reports icon at the top.

Select the Save report as button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Now close AVG Anti-Spyware

 

 

Please run Panda's ActiveScan and perform a full system scan.

Once you are on the Panda site click the Scan your PC button (be sure to disable your popup blocker first )

A new window will open...click the big Check Now button

Enter your Country

Enter your State/Province

Enter your e-mail address and click send

Select either Home User or Company

Click the big Scan Now button

If it wants to install an ActiveX component allow it

It will start downloading the files it requires for the scan (Note: It will take a couple minutes)

Click on Local Disks to start the scan

Click on see report Then click Save report

 

Post a fresh HijackThis log, the AVG Anti-Spyware log and the Panda Scan log and rapport.txt here

(You may need to use several replies as the logs may be cut off)

 

 

Gogo :)

Share this post


Link to post
Share on other sites

Hi Will Hummel,

 

In order for the log-reading malware experts to assist you, please post a Full Scan logs from Ad-AwareSE.

 

Firstly, please make sure that you are using Ad-aware SE Build 106r1

Note: If you are using an earlier version and not the SE, you need to uninstall the older version first and get the latest version from the above link, then install SE.

Then use the WebUpDate to get the latest Definition file SE1R140 18.12.2006

To do this Open Ad-aware - Click the WebUpDate button at the top right hand side of the Ad-aware screen (The world globe).

Click "Connect" Ad-aware will then download the latest Definition file for you.

To make sure it is updated , look at the main Ad-aware screen, and look under "Initialization Status" where it should say the Latest Definition file.

Then scan doing a "Full Scan" and then post your logfile here by using the Add-Reply Feature.

 

Add_Reply.gif

 

By default, Logs are stored in: C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.

An easy way to get there is to click Start, click Run and type in and press ENTER: %appdata% , then click Lavasoft, then Ad-Aware and then Logs.

Scroll down to find the latest one that you have (by date & time) and open it, right Click, select all, copy and then paste the contents of it here.

(Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)

 

-Configuring Ad-Aware Full-Scan

1) Start Ad-Aware SE

2) Click on the link "Check for updates now" press the connect button and follow the prompts to ensure you are up to date.

3) Press the start button and in the Preparing System Scan window select the option "Perform full system scan", click on "Search for negligible risk entries" so that it shows a red cross (i.e. is deselected) and click on "Search for low-risk threats" so that is shows a green tick (i.e. is selected).

4) Click the "Next" button to start the full scan - when the scan finishes click on the "show logfile" button. In the log window right mouse click and select "Select all..." then right mouse click again and select "Copy to clipboard" then paste in a reply to this thread.

 

Due to the number of requests for help, it may take a few days for the expert log-readers to get to you - please be patient and don't "bump" your Topic (ie: add extra posts to it), as logs are answered from oldest to newest :)

 

Regards,

 

Spike

Share this post


Link to post
Share on other sites

Alright thanks very much! I ran everything just like you told me and here are all the logs. First I will start with the SmitfraudFix log.

 

SmitFraudFix v2.131

 

Scan done at 18:54:00.23, Fri 12/22/2006

Run from C:\Documents and Settings\William\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{fe288882-f661-4522-88f3-20cfb7866fa4}"="gutturalness"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\system32\cvnzie.dll Deleted

C:\WINDOWS\system32\ot.ico Deleted

C:\WINDOWS\system32\ts.ico Deleted

C:\WINDOWS\system32\components\flx?.dll Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

Next here is the AVG Anti-Spyware log.

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 7:28:45 PM 12/22/2006

 

+ Scan result:

 

 

 

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP283\A0018431.exe -> Adware.AntiVermins : Cleaned with backup (quarantined).

HKU\S-1-5-21-2000478354-2111687655-1343024091-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4D74AAA-A178-4463-846B-B4BC87A024E0} -> Adware.Generic : Cleaned with backup (quarantined).

C:\Program Files\ipwins\ipwins.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP288\A0018710.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP293\A0018809.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).

C:\Documents and Settings\William\Desktop\OiUninstaller.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).

C:\Documents and Settings\William\Local Settings\Application Data\Mozilla\Firefox\Profiles\l87tpzcg.default\Cache\92941175d01 -> Adware.MediaTickets : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP283\A0018426.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP296\A0019142.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP299\A0019395.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\RECYCLER\S-1-5-18\Dc1\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).

C:\RECYCLER\S-1-5-18\Dc1\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP283\A0018461.dll -> Adware.Softomate : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP283\A0018462.exe -> Adware.Softomate : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP293\A0018844.dll -> Adware.Softomate : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP293\A0018845.exe -> Adware.Softomate : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP295\A0018883.dll -> Adware.Softomate : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP295\A0018884.exe -> Adware.Softomate : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP295\A0018896.exe -> Adware.Softomate : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP295\A0018881.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP288\A0018711.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).

C:\Program Files\ipwins\Services.dll -> Downloader.Small.ece : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP293\A0018810.dll -> Downloader.Small.ece : Cleaned with backup (quarantined).

C:\Program Files\ipwins\Uninst.exe -> Dropper.DollarR.b : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP296\A0019042.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP296\A0019043.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).

:mozilla.25:C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\l87tpzcg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.56:C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\l87tpzcg.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.

C:\Documents and Settings\William\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned.

:mozilla.74:C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\l87tpzcg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.

:mozilla.75:C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\l87tpzcg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.

:mozilla.76:C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\l87tpzcg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP283\A0018459.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP296\A0019144.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{697AEFAD-7ED8-4788-9D9E-82267739744E}\RP299\A0019398.exe -> Trojan.Small : Cleaned with backup (quarantined).

 

 

::Report end

Share this post


Link to post
Share on other sites

Now here is the Panda Scan log.

 

 

Incident Status Location

 

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ubyoelxw.default\cookies.txt[.2o7.net/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ubyoelxw.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ubyoelxw.default\cookies.txt[citi.bridgetrack.com/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ubyoelxw.default\cookies.txt[.advertising.com/]

Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ubyoelxw.default\cookies.txt[data.coremetrics.com/]

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ubyoelxw.default\cookies.txt[statse.webtrendslive.com/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jeannie\Application Data\Mozilla\Firefox\Profiles\790j6jgk.default\cookies.txt[.2o7.net/]

Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Jeannie\Application Data\Mozilla\Firefox\Profiles\790j6jgk.default\cookies.txt[citi.bridgetrack.com/]

Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Jeannie\Application Data\Mozilla\Firefox\Profiles\790j6jgk.default\cookies.txt[data.coremetrics.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jeannie\Application Data\Mozilla\Firefox\Profiles\790j6jgk.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jeannie\Application Data\Mozilla\Firefox\Profiles\790j6jgk.default\cookies.txt[.advertising.com/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\eehh0joy.default\cookies.txt[.2o7.net/]

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\eehh0joy.default\cookies.txt[.hitbox.com/]

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\eehh0joy.default\cookies.txt[statse.webtrendslive.com/]

Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\eehh0joy.default\cookies.txt[citi.bridgetrack.com/]

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\eehh0joy.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\eehh0joy.default\cookies.txt[.advertising.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\eehh0joy.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\l87tpzcg.default\cookies.txt[.toplist.cz/]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\William\Desktop\SmitfraudFix\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\William\Desktop\SmitfraudFix.zip[smitfraudFix/Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\William\Local Settings\Application Data\Mozilla\Firefox\Profiles\l87tpzcg.default\Cache\633285D9d01[smitfraudFix/Process.exe]

Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\deuibfoo.exe

Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\lqdakise.exe

Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\wvsokien.exe

Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\wxwtkcuo.exe

Share this post


Link to post
Share on other sites

And finally the HijackThis log.

 

Logfile of HijackThis v1.99.1

Scan saved at 9:30:22 PM, on 12/22/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\William\Desktop\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\blcdaevi.dll (file missing)

O2 - BHO: (no name) - {948F9771-67D8-46D7-B032-833FF87DA864} - C:\WINDOWS\system32\fcyww.dll (file missing)

O2 - BHO: (no name) - {98C2962E-495B-49EC-B08B-E7D15A27A983} - C:\WINDOWS\system32\geecd.dll (file missing)

O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Rcio] "C:\DOCUME~1\William\APPLIC~1\CROSOF~1.NET\cmd.exe" -vt ndrv

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152117739035

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152117691397

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

 

Thanks for all your help so far! I look forward to your reply!!!

Share this post


Link to post
Share on other sites

One more thing, I've noticed that people have been told to remove IpWins from their computer and was wondering if I should do the same since it is in the control panel, add or remove programs IpWins shows up in there but it doesn't seem to be installed should I remove it?

Share this post


Link to post
Share on other sites

Hey,Will Hummel

 

Opps yes if this is there IpWins yes go on and remove it.

 

 

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok

 

Scroll down and find the service called:

 

COM+ Messages

 

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

 

 

Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....

 

Place a check against the following items:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

 

R3 - Default URLSearchHook is missing

 

O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)

 

O4 - HKCU\..\Run: [Rcio] "C:\DOCUME~1\William\APPLIC~1\CROSOF~1.NET\cmd.exe" -vt ndrv

 

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

 

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

 

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

 

Click on Fix Checked and exit HijackThis.

 

======================================================================

 

Open HijackThis. Click on 'Open the miscellaneous tools section'

 

Click on 'Delete an NT Service'

 

Paste in this:

 

COM+ Messages

 

and click 'OK'

 

Close HijackThis.

 

 

Do a reboot and do this here for me please

 

 

Please download VirtumondoBegone to your desktop. This needs to be run in Safemode

 

Restart your computer in Safe Mode.

  1. If the computer is running, shut down Windows, and then turn off the power.
  2. Wait 30 seconds, and then turn the computer on.
  3. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  4. Ensure that the Safe Mode option is selected.
  5. Press Enter. The computer then begins to start in Safe Mode.
  6. Login on your usual account.

If you need further assistance with Safe Mode, see Symantec

 

 

Doubleclick on VirtumundoBeGone.exe and follow the instructions.

 

Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.

 

When it has finished, reboot and post the log that is created on your desktop called VBG.TXT in your next reply.

 

 

Gogo ;)

Share this post


Link to post
Share on other sites

Hey,

 

In the first step COM+ Messages was alright stopped it said so I simply clicked disable at startup and applied it. Is that alright?

 

Then we found everything and removed everything except for this

 

023 - Service: COM+ Messages - Unknown owner - C:/Windows/system32/svchosts.exe" -e

 

However when we ran the miscellaneous tools section' it found it and we deleted it. Thanks again for all the help I really appreicate it! Now I am on VirtumondoBegone will post logs shortly!

Edited by Will Hummel

Share this post


Link to post
Share on other sites

Hi,Will Hummel

 

Yes that's cool now give me Vundo or me begone get it me begone sorry ;)

god this is one hard room.

 

Gogo :P

Share this post


Link to post
Share on other sites

First off thanks again HJThis!!! I really mean it, your help really means a lot to me. I did the steps and have one question before I post up the HijackThis log and the VirtumundoBeGone log.

 

I noticed in Notepad that the File, Edit, View, Tools, etc were all highlighted in blocks of white? I was wondering if you know why that is? In Mozilla Firefox everything is just fine. Here are your logs.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 10:35:13 AM, on 12/23/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\Documents and Settings\William\Desktop\HijackThis\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\blcdaevi.dll (file missing)

O2 - BHO: (no name) - {948F9771-67D8-46D7-B032-833FF87DA864} - C:\WINDOWS\system32\fcyww.dll (file missing)

O2 - BHO: (no name) - {98C2962E-495B-49EC-B08B-E7D15A27A983} - C:\WINDOWS\system32\geecd.dll (file missing)

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152117739035

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152117691397

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Share this post


Link to post
Share on other sites

Haha, I got it, lol! Thanks again man you rock! Here is the log for VirtumundoBeGone!

 

 

[12/23/2006, 10:30:16] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\William\Desktop\VirtumundoBeGone.exe" )

[12/23/2006, 10:30:23] - Detected System Information:

[12/23/2006, 10:30:23] - Windows Version: 5.1.2600, Service Pack 2

[12/23/2006, 10:30:23] - Current Username: William (Admin)

[12/23/2006, 10:30:23] - Windows is in SAFE mode with Networking.

[12/23/2006, 10:30:23] - Searching for Browser Helper Objects:

[12/23/2006, 10:30:23] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[12/23/2006, 10:30:23] - BHO 2: {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} ()

[12/23/2006, 10:30:23] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2006, 10:30:23] - Checking for HKLM\...\Winlogon\Notify\blcdaevi

[12/23/2006, 10:30:24] - Key not found: HKLM\...\Winlogon\Notify\blcdaevi, continuing.

[12/23/2006, 10:30:24] - BHO 3: {948F9771-67D8-46D7-B032-833FF87DA864} ()

[12/23/2006, 10:30:24] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2006, 10:30:24] - Checking for HKLM\...\Winlogon\Notify\fcyww

[12/23/2006, 10:30:24] - Key not found: HKLM\...\Winlogon\Notify\fcyww, continuing.

[12/23/2006, 10:30:24] - BHO 4: {98C2962E-495B-49EC-B08B-E7D15A27A983} ()

[12/23/2006, 10:30:24] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2006, 10:30:24] - Checking for HKLM\...\Winlogon\Notify\geecd

[12/23/2006, 10:30:24] - Key not found: HKLM\...\Winlogon\Notify\geecd, continuing.

[12/23/2006, 10:30:24] - Finished Searching Browser Helper Objects

[12/23/2006, 10:30:24] - Finishing up...

[12/23/2006, 10:30:24] - Nothing found! Exiting...

 

[12/23/2006, 10:31:23] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\William\Desktop\VirtumundoBeGone.exe" )

[12/23/2006, 10:31:32] - Detected System Information:

[12/23/2006, 10:31:32] - Windows Version: 5.1.2600, Service Pack 2

[12/23/2006, 10:31:32] - Current Username: William (Admin)

[12/23/2006, 10:31:32] - Windows is in SAFE mode with Networking.

[12/23/2006, 10:31:32] - Searching for Browser Helper Objects:

[12/23/2006, 10:31:33] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[12/23/2006, 10:31:33] - BHO 2: {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} ()

[12/23/2006, 10:31:33] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2006, 10:31:33] - Checking for HKLM\...\Winlogon\Notify\blcdaevi

[12/23/2006, 10:31:33] - Key not found: HKLM\...\Winlogon\Notify\blcdaevi, continuing.

[12/23/2006, 10:31:33] - BHO 3: {948F9771-67D8-46D7-B032-833FF87DA864} ()

[12/23/2006, 10:31:33] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2006, 10:31:33] - Checking for HKLM\...\Winlogon\Notify\fcyww

[12/23/2006, 10:31:33] - Key not found: HKLM\...\Winlogon\Notify\fcyww, continuing.

[12/23/2006, 10:31:33] - BHO 4: {98C2962E-495B-49EC-B08B-E7D15A27A983} ()

[12/23/2006, 10:31:33] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2006, 10:31:33] - Checking for HKLM\...\Winlogon\Notify\geecd

[12/23/2006, 10:31:33] - Key not found: HKLM\...\Winlogon\Notify\geecd, continuing.

[12/23/2006, 10:31:33] - Finished Searching Browser Helper Objects

[12/23/2006, 10:31:33] - Finishing up...

[12/23/2006, 10:31:33] - Nothing found! Exiting...

 

 

Thanks again!!!!

Share this post


Link to post
Share on other sites

Hi,Will Hummel

 

Huh i did not see these here they may not be here but lit's be sure

 

 

View hidden files and folders:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

 

Run HijackThis

Scan and when it finishes, put a check mark only next to these following items : (if present)

 

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\blcdaevi.dll (file missing)

O2 - BHO: (no name) - {98C2962E-495B-49EC-B08B-E7D15A27A983} - C:\WINDOWS\system32\geecd.dll (file missing)

O2 - BHO: (no name) - {948F9771-67D8-46D7-B032-833FF87DA864} - C:\WINDOWS\system32\fcyww.dll (file missing)

 

Close all browsers and any open Windows, making sure that only HijackThis is open

Click Fix Checked

Close HijackThis

 

 

Restart your computer in Safe Mode.

  1. If the computer is running, shut down Windows, and then turn off the power.
  2. Wait 30 seconds, and then turn the computer on.
  3. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  4. Ensure that the Safe Mode option is selected.
  5. Press Enter. The computer then begins to start in Safe Mode.
  6. Login on your usual account.

If you need further assistance with Safe Mode, see Symantec

 

 

Next do a file Search & delete these files if found

C:\WINDOWS\system32\blcdaevi.dll<---This file

C:\WINDOWS\system32\geecd.dll<---This file

C:\WINDOWS\system32\fcyww.dll<---This file

 

Sorry about that i should have seen them first time around.

 

 

And get this here done before you come back here with any feedback

 

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

 

Next, let's clean your restore points and set a new one

 

 

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

 

1. Turn off System Restore.

* On the Desktop, right-click My Computer.

* Click Properties.

* Click the System Restore tab.

* CHECK Turn off System Restore.

* Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

* On the Desktop, right-click My Computer.

* Click Properties.

* Click the System Restore tab.

* UN-Check Turn off System Restore.

* Click Apply, and then click OK.

 

System Restore will now be active again.

 

 

Then create a new restore point once you have System Restore back on.

To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.

When the System Restore Utility opens, click "Create a Restore Point" then click Next.

Enter a name for this Restore Point, and click Create.

 

 

 

Clean out your Temporary Internet files.

Internet Explorer

Close Internet Explorer and close any instances of Windows Explorer.

Click Start -> Control Panel and then double-click Internet Options.

On the General tab, click Delete Files under Temporary Internet Files.

In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.

On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.

Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.

Click OK.

 

Firefox (In case you also have Firefox installed)

Open Firefox and go to Tools -> Options.

Click Privacy in the menu on the left side of the Options window.

Click the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to close the Options window.

Alternatively, you can clear all information stored while browsing by clicking Clear All.

A confirmation dialog box will be shown before clearing the information.

 

 

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.

2. Click once on the Security tab

3. Click once on the Internet icon so it becomes highlighted.

4. Click once on the Custom Level button.

a. Change the Download signed ActiveX controls to Prompt

b. Change the Download unsigned ActiveX controls to Disable

c . Change the Initialize and script ActiveX controls not marked as safe to Disable

d. Change the Installation of desktop items to Prompt

e. Change the Launching programs and files in an IFRAME to Prompt

f. Change the Navigate sub-frames across different domains to Prompt

g. When all these settings have been made, click on the OK button.

h. If it prompts you as to whether or not you want to save the settings, press the Yes button.

5. Next press the Apply button and then the OK to exit the Internet Properties page.

 

And please have a look at the great info by Mr,TK

So how did I get infected in the first place

 

 

Gogo ;)

Share this post


Link to post
Share on other sites

Alright I followed all the steps you gave me and read the article you showed me, now here is some feedback.

 

I made the files unhidden and ran HijackThis. It found those three things and removed all three of those.

 

Then we rebooted the computer into safe mode. However, we didn't find those things you listed.

 

C:/WINDOWS/system32/blcdaevi.dll

C:/WINDOWS/system32/geecd.dll

C:/WINDOWS/system32/fcyww.dll

 

We then rebooted and deleted the old system restore and created a new one just like you mentioned.

 

Then we cleaned out my temporary Internet files, my cookies, my offline content, history, and then went and Reset the Web Settings. We also logged onto everyone's account and deleted all their saved passwords, cookies, cache, browsing history, search form information as well.

 

We then also went and made Internet Explorer safer by following the steps you gave me on everyone's account.

 

Here is a fresh HijackThis file.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 12:29:17 PM, on 12/23/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\William\Desktop\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152117739035

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152117691397

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

 

Thanks again! I look forward to your reply!!!

Share this post


Link to post
Share on other sites

Hey,Will Hummel

 

Logfile looks great i don't see anymore problme files here.

if your not gething anymore pop-ups or warning then i say

you are all clean. if you have any problmes at all let me know.

 

Gogo ;)

Share this post


Link to post
Share on other sites

Thanks man! We seem to be doing just fine. I've not noticed any pop ups at all or any redirecting websites. Now my dad has a question for you.

 

Alright my dad had a question about the Windows Firewall. A couple of months ago we could not turn on our Windows Firewall. We tried to turn it on manually but we kept being told that the Windows Firewall could not be accessed due to an indenitified problem. However during the time we were returned on the system restore a window popped up saying the Windows Firewall was enabled. Now what do you think caused this and how can we turn on the firewall.

 

Also what freeware firewall do you suggest? Thanks again! Merry Christmas!

Share this post


Link to post
Share on other sites

Hi,Will Hummel

 

Hmm ok this is a hard one how to put it RUN don't walk away from WinXP Firewall

you are way better off using ZoneAlarm free but if pops put's up the money :P

get the pro ver come on dad we all know you have tons of money some where. :)

 

but give me a min or so i just help someone with this same problem.

 

 

Gogo ;)

Share this post


Link to post
Share on other sites

Hey, HJThis

 

Yeah I was thinking of getting the free ZoneAlarm one. My dad really doesn't want to get one that costs money right now.

 

Also can I remove those programs you had me install?

 

SmitfraudFix?

VirtumundoBeGone?

AVG Anti-Spyware 7.5?

Panda ActiveScan?

 

I'll keep HijackThis I guess. But can those other ones be unistalled now?

 

We also have Ad-Adware the latest edition and Windows Defender.

Share this post


Link to post
Share on other sites

Hi,Will Hummel

 

First is the Firewall error this here not what you posted.

 

Due to an unidentified problem, Windows cannot display Windows Firewall settings.

 

And i would keep AVG anti-Spyware just run it once a week but

for now it will put an icon in systray/taskbar for 30 days so you can have auto upgrades

and it will also have the Guard, but after the 30 days you can still use it to

update and run scans on the PC.

 

Gogo ;)

Share this post


Link to post
Share on other sites

Yes that is the error we have. Also you are saying keep AVG AntiSpyware 7.5, so I will do that. However I can remove the rest of the programs you had me install correct?

 

SmitfraudFix?

VirtumundoBeGone?

Panda ActiveScan?

Share this post


Link to post
Share on other sites
Sign in to follow this