Options
Help - Newbie cannot rid of popups
Hi,
Could somebody please kindly assist me with solving this issue. I am consistently being harrassed with popups. All spyware and antivirus I have run cannot permanently delete some files that are apparently reappearing and sometimes generated with different names.
I am running Windows XP SP2
I have arranged for he log file from Hijack this. It is as follows.
Logfile of HijackThis v1.99.1
Scan saved at 13:02:58, on 09/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programas\NavNT\defwatch.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Programas\NavNT\rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\TOSHIBA\Power Management\CePMTray.exe
C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
C:\Programas\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programas\Apoint2K\Apntex.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\etb\pokapoka67.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WINXP\3COMU11GMonitor.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\etb\pokapoka68.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\Internet Explorer\iexplore.exe
c:\windows\system32\nabzoa.exe
C:\Programas\WinRAR\WinRAR.exe
C:\DOCUME~1\Rui\DEFINI~1\Temp\Rar$EX00.422\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myseachexplorer.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myseachexplorer.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sapo.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [vptray] C:\Programas\NavNT\vptray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Programas\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteues32.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka68.exe
O4 - HKLM\..\Run: [System service68] C:\WINDOWS\etb\pokapoka68.exe
O4 - HKLM\..\Run: [arqpnza] c:\windows\system32\nabzoa.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Programas\Webshots\Launcher.exe
O4 - Global Startup: 3Com OfficeConnect Wireless 11g USB Adapter Utility.lnk = C:\Programas\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WINXP\3COMU11GMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ru-pt - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://geo.sapo.pt/imp_cgi/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Programas\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.fiat.pt/videos/MSSurVid.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12A16ADC7} -
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://C:\Programas\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://www.fiat.pt/videos/Outside.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Programas\AutoCAD 2002\InstFred.ocx
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Programas\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FREEPORT
O17 - HKLM\Software\..\Telephony: DomainName = FREEPORT
O17 - HKLM\System\CCS\Services\Tcpip\..\{62295F12-C69F-43FD-B503-51DA3EA7ED69}: NameServer = 192.168.75.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FREEPORT
O17 - HKLM\System\CS1\Services\Tcpip\..\{62295F12-C69F-43FD-B503-51DA3EA7ED69}: NameServer = 192.168.75.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FREEPORT
O17 - HKLM\System\CS2\Services\Tcpip\..\{62295F12-C69F-43FD-B503-51DA3EA7ED69}: NameServer = 192.168.75.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programas\NavNT\defwatch.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Rui\DEFINI~1\Temp\hpdj.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programas\NavNT\rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Could somebody please kindly assist me with solving this issue. I am consistently being harrassed with popups. All spyware and antivirus I have run cannot permanently delete some files that are apparently reappearing and sometimes generated with different names.
I am running Windows XP SP2
I have arranged for he log file from Hijack this. It is as follows.
Logfile of HijackThis v1.99.1
Scan saved at 13:02:58, on 09/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programas\NavNT\defwatch.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Programas\NavNT\rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\TOSHIBA\Power Management\CePMTray.exe
C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
C:\Programas\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programas\Apoint2K\Apntex.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\etb\pokapoka67.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WINXP\3COMU11GMonitor.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\etb\pokapoka68.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\Internet Explorer\iexplore.exe
c:\windows\system32\nabzoa.exe
C:\Programas\WinRAR\WinRAR.exe
C:\DOCUME~1\Rui\DEFINI~1\Temp\Rar$EX00.422\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myseachexplorer.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myseachexplorer.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sapo.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [vptray] C:\Programas\NavNT\vptray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Programas\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteues32.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka68.exe
O4 - HKLM\..\Run: [System service68] C:\WINDOWS\etb\pokapoka68.exe
O4 - HKLM\..\Run: [arqpnza] c:\windows\system32\nabzoa.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Programas\Webshots\Launcher.exe
O4 - Global Startup: 3Com OfficeConnect Wireless 11g USB Adapter Utility.lnk = C:\Programas\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WINXP\3COMU11GMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ru-pt - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://geo.sapo.pt/imp_cgi/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Programas\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.fiat.pt/videos/MSSurVid.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12A16ADC7} -
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://C:\Programas\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://www.fiat.pt/videos/Outside.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Programas\AutoCAD 2002\InstFred.ocx
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Programas\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FREEPORT
O17 - HKLM\Software\..\Telephony: DomainName = FREEPORT
O17 - HKLM\System\CCS\Services\Tcpip\..\{62295F12-C69F-43FD-B503-51DA3EA7ED69}: NameServer = 192.168.75.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FREEPORT
O17 - HKLM\System\CS1\Services\Tcpip\..\{62295F12-C69F-43FD-B503-51DA3EA7ED69}: NameServer = 192.168.75.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FREEPORT
O17 - HKLM\System\CS2\Services\Tcpip\..\{62295F12-C69F-43FD-B503-51DA3EA7ED69}: NameServer = 192.168.75.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programas\NavNT\defwatch.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Rui\DEFINI~1\Temp\hpdj.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programas\NavNT\rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
0
Comments
Before beginning this process please move Hijack This to a permanent folder on your "C drive."
Click Start -> Run -> (type) services.msc
Scroll down and find the service called System Startup Service When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.
Download these programs:
Ad-Aware SE
Spybot Search & Destroy
Killbox
Save the setup files to a conveneint location such as your desktop. Run the setup files for Ad-Aware and Spybot. Open each program and update them with the latest definitions. Unzip the Killbox folder and right click on the killbox.exe icon and create a shortcut to killbox then place it on your desktop.
Run Hijack This and place a checkmark nexxt to these entries then click Fix Checked. Be sure to close all other open windows before proceeding:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myseachexplorer.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myseachexplorer.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sapo.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteues32.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka68.exe
O4 - HKLM\..\Run: [System service68] C:\WINDOWS\etb\pokapoka68.exe
O4 - HKLM\..\Run: [arqpnza] c:\windows\system32\nabzoa.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Now open Killbox. In the path of file to be deleted type or copy & paste
C:\WINDOWS\Nail.exe
Check the delete on reboot option. Click delete then follow the instructions from Killbox for removal.
Now reboot into safe mode. To enter safe mode>reboot>at the start up screen tap the F8 button>select safe mode from the menu that appears.
Now delete these files or folders if they exist:
C:\windows\system32\eliteues32.exe
C:\WINDOWS\etb
c:\windows\system32\nabzoa.exe
Now run a "full system scan" with Ad-Aware Se and Spybot S&D. Remove all objects found.
Open Killbox once again. Follow the same procedure as previously performed. Use the same file name.
Reboot into normal mode.
Run activescan and one of the other online scans:
Activescan
Bitdefender
Housecall
Save the results of activescan and post them here with a new Hijack This log.