actually, i did a test again, and this time, i think trend deleted the files. im gonna scan my hd with trend one more time just to make sure. do you think its worth it to run cw shredder anyway?
i ran trend, and it didnt detect anything. also, i ran cw shredder, and it also didnt detect anything. just to keep you informed, i booted internet explorer, and it still has the "about:blank" homepage, all the bookmarks, and popups.
OK, Next we want to run Ad-aware SE. Reboot into Safe Mode. Double click on Ad-aware SE to run it.
Look in the bottom right corner and click on Check for updates now link and download the latest reference files.
Next, we need to configure Ad-aware SE for a full scan. Some of them should be enabled by default, while others you will need to set yourself (see below).
Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:
--> Automatically save logfile
--> Automatically quarantine objects prior to removal
--> Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
--> Scan within archives
--> Scan active processes
--> Scan registry
--> Deep-scan registry
--> Scan my IE Favorites for banned URLs
--> Scan my Hosts file
· Under Select drives & folders to scan, choose:
--> Select all of your hard drives that are not selected already
Click on the Advanced button on the left and select:
--> Include additional object information
--> Include negligible objects information
--> Include environment information
Click the Tweak button and select:
· Under the Scanning Engine:
--> Unload recognized processes & modules during scan
· Under the Cleaning Engine:
--> Let Windows remove files in use at next reboot
Click on Proceed to save the settings.
Click Start and on the next screen choose:
--> Use custom scanning options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
Save the log file when it asks and then click Finish. Do NOT post this log file unless I ask. These files are usually very big and we won't need it in most cases.
When finished, mark everything for removal and get rid of it. (Right-click on any of the entries and choose Select All from the drop down menu and click Next).
i did as you said, except i didnt update adaware, only because i cant connect to the net through safe mode. ill try it again soon. none the less, adaware still found and fixed a bunch of infected files. ill do another scan sometime later. also, ive been keeping track of the AVG infected files messages, and there are MANY.
files begining with C:\WINDOWS\
-netty.exe
-cris32.exe
-mfczy.exe
-atlxh32.exe
That's ok then. You have the latest definitions.
Has AVG been running all this time we've been doing this stuff?
Since you have AVG on your machine already. Go ahead and run it and see what it gets rid of. getting rid of as in it will quarantine it in the virus vault.
Keep track of and post anything these get rid of.
Post back.
No, Just have it scan all drives. And check the settings to make sure if it finds something it quarantines it in the virus vault.
post back.
Whenever you need to quit, (timewise) just let me know so I don't keep watching for your posts. I'll work as long as you want to. I usually stay up till 11:00- midnight. We are getting there though, it just takes time. Your doing good. Just stay with it.
Better yet, Open AVG, then Test Center and the tabs at the top click Tests.
On the dropdown menu pick Complete test settings and set them like this.
Then run the test and post back with what is says after running.
id say, stop looking at 11:00, except on friday. on friday, you can stop about 8:00 pm. i have some work to do for the next hour, so dont expect any more posts tonight. ill run AVG overnight, and you can expect to see a post tommorrow at about 5:30 or 6:00 pm.
by the way, thanks alot for all of this. i really appreciate it.
OK, Have a good night and don't worry. We'll get these buggers off your pc and get it setup so you don't get them anymore. I'll talk to you tomorrow.
And I'm glad to help.
We'll get it taken care of. No worrys. Check my instruction up a post or two and make sure your AVG is set like that before you run it.
Post back when done.
avg was configured as you said, and it didnt find anything. i guess it must have deleted all the malware before my pc was turned off earlier today.
by the way, i thought you should know: when i boot windows, there is always a notice that windows cant find C:\windows\system32\ipee.exe. there is another file it cant find, but i forgot to record it.
also, even after AVG did the scan, it still posp up with a few messages of viruses whenever i turn on internet explorer.
theres one more thing. when i turn on my pc, a window from "c;\documents and settings\all users\start menu\ programs\startup\microsoft windows.hta" opens, and displays nothing but a single square of text [the one when the pc cant display a ceartain text]. i believe that this is a file that norton used to warn me about on every startup, and it would ask me what i want to do with the script. however, i havent seen this notice recently.
OK, Don't worry about it not finding the files for now. YOU SHOULD NOT BE STARTING IE UNTIL WE GET RID OF ALL THESE VIRUSES! I thought you told me you were using Firefox. Everytime you open IE your reinfecting your pc! Everything gets reloaded because IE has hijackers attached. Let's keep going and see what turns up. Don't open IE anymore until your pc is clean.
Next we want to Run Spybot Search & Destroy, and choose Spybot S&D - easy mode.
a. Close ALL windows & programs except Spybot S&D
b. Click the button to Search for Updates and download and install the updates.
c. Next click the button Check for Problems.
d. When Spybot is complete, it will be showing RED entries, BLACK entries, and GREEN entries in the window.
e. Put a check mark beside the RED entries ONLY.
f. Choose Fix Selected Problems and allow Spybot to fix the RED entries.
g. After removing those files, close Spybot and we'll go to the next step.
Post back.
Additional Information - Spybot S&D has a feature that can help block Internet Explorer immunities (these include installation of known spyware, bad ActiveX controls, etc.). Just go into Spybot->Immunize (on the left panel) and click on the Immunize button. Do this everytime you update Spybot since it may also have updates for the Immunize feature.
Post back
i ran spybot, and it deleted 3 files it found. i also 'immunized" my system.
sorry about internet explorer. i dont use it anymore, i just checked it to see if any of the tests i ran recently got rid of any of the symptoms of the malware. knwing now that i can reinstall alot of malware doing this, i wont open internet explorer anymore.
OK, Now I want you to turn off all programs--boot to safemode--and run CWShredder, AdAware, and Spybot Search and destroy to make sure we get rid of any reinfections from IE. Then post back with firefox.
spybot and cwshredder didnt find anything, but adaware found 17 problems [2 of them were real files, the rest of them were "scripts", or something like that].
Ok, Did it get rid of them? Or did it tell you it could not remove them? Just for my information.
Now we want to download and run Hijack This .
This is the latest version over @ short-media.com.
Then copy and post the log here.
Logfile of HijackThis v1.99.1
Scan saved at 10:13:44 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Good that it deleted them.
OK, I'm going to go through the hijack this log and determine what needs to be deleted.
If, You go on the net, in the meantime, don't use IE, only use firefox. And don't go to any sites that your not sure of being safe. And don't download or install anything.
We're almost there, so be patient.
I'll post back tommorrow with results.
Ehhh, Thnx prime, I was a little tired last night and didn't catch it.
Abe, Run it again and post the full length of the logfile.
When you open hijack this hit (Do a system scan and save a logfile) and it will open notepad with the logfile in it. Hit the (Edit) button and on the dropdown list hit (Select All)....
example;
Then after the field turns blue hit (Edit) again and hit copy....
example;
Then paste it here... That way your sure to get the whole thing.
sorry. i dont know why i didnt copy the whole thing last time.
Logfile of HijackThis v1.99.1
Scan saved at 10:50:47 AM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Step 2
Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.
Step 3
Make sure your PC is configured to show hidden files.
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
Step 4
Reboot to Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.
Step 5
Scan with Hijack This and put checks next to all the following, then click "Fix Checked"
Step 6
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
Step 7
Scan with Adaware and let it remove any bad files found.
Step 8
Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
Step 9
Reboot to normal mode, scan again with Hijack This and post a new log here.
Thnx for checking the log file prime. You da man! As I said when I pm'd you. My brain is shizznit after a 12 hr day. So, I didn't want to try researching it and stear abe in the wrong direction. And I'm working 10-12 hrs days for the next 4-5 days. Gotta make that money while it's there.
Your assistance in this matter is greatly appreciated.
I'm off to take a nice hot soak in the bubble bath now! Thnx again friend.
yeh, thanks alot prime. i dont want to start such a complicated process right now, since i have to work and get to sleep early tonight, but i intend to do it tommorrow as soon as i can. i will post back soon [as well as post a new log file].
Comments
Then we can go on to CW Shredder.
Look in the bottom right corner and click on Check for updates now link and download the latest reference files.
Next, we need to configure Ad-aware SE for a full scan. Some of them should be enabled by default, while others you will need to set yourself (see below).
Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:
--> Automatically save logfile
--> Automatically quarantine objects prior to removal
--> Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
--> Scan within archives
--> Scan active processes
--> Scan registry
--> Deep-scan registry
--> Scan my IE Favorites for banned URLs
--> Scan my Hosts file
· Under Select drives & folders to scan, choose:
--> Select all of your hard drives that are not selected already
Click on the Advanced button on the left and select:
--> Include additional object information
--> Include negligible objects information
--> Include environment information
Click the Tweak button and select:
· Under the Scanning Engine:
--> Unload recognized processes & modules during scan
· Under the Cleaning Engine:
--> Let Windows remove files in use at next reboot
Click on Proceed to save the settings.
Click Start and on the next screen choose:
--> Use custom scanning options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
Save the log file when it asks and then click Finish. Do NOT post this log file unless I ask. These files are usually very big and we won't need it in most cases.
When finished, mark everything for removal and get rid of it. (Right-click on any of the entries and choose Select All from the drop down menu and click Next).
Reboot your computer.
Then post back.
files begining with C:\WINDOWS\
-netty.exe
-cris32.exe
-mfczy.exe
-atlxh32.exe
files begining in C:\WINDOWS\SYSTEM32\
-d3lc32.exe
-addsv.exe
-addsv.exe
-d3do32.exe
-javafh32.exe
-mfcev32.exe
-apinb32.exe
Has AVG been running all this time we've been doing this stuff?
Since you have AVG on your machine already. Go ahead and run it and see what it gets rid of. getting rid of as in it will quarantine it in the virus vault.
Keep track of and post anything these get rid of.
Post back.
post back.
Whenever you need to quit, (timewise) just let me know so I don't keep watching for your posts. I'll work as long as you want to. I usually stay up till 11:00- midnight. We are getting there though, it just takes time. Your doing good. Just stay with it.
On the dropdown menu pick Complete test settings and set them like this.
Then run the test and post back with what is says after running.
by the way, thanks alot for all of this. i really appreciate it.
And I'm glad to help.
also, since i have the about:blank homepage, would you reccomend a program to get rid of it, considering it is a common problem?
Post back when done.
by the way, i thought you should know: when i boot windows, there is always a notice that windows cant find C:\windows\system32\ipee.exe. there is another file it cant find, but i forgot to record it.
also, even after AVG did the scan, it still posp up with a few messages of viruses whenever i turn on internet explorer.
theres one more thing. when i turn on my pc, a window from "c;\documents and settings\all users\start menu\ programs\startup\microsoft windows.hta" opens, and displays nothing but a single square of text [the one when the pc cant display a ceartain text]. i believe that this is a file that norton used to warn me about on every startup, and it would ask me what i want to do with the script. however, i havent seen this notice recently.
Next we want to Run Spybot Search & Destroy, and choose Spybot S&D - easy mode.
a. Close ALL windows & programs except Spybot S&D
b. Click the button to Search for Updates and download and install the updates.
c. Next click the button Check for Problems.
d. When Spybot is complete, it will be showing RED entries, BLACK entries, and GREEN entries in the window.
e. Put a check mark beside the RED entries ONLY.
f. Choose Fix Selected Problems and allow Spybot to fix the RED entries.
g. After removing those files, close Spybot and we'll go to the next step.
Post back.
Additional Information - Spybot S&D has a feature that can help block Internet Explorer immunities (these include installation of known spyware, bad ActiveX controls, etc.). Just go into Spybot->Immunize (on the left panel) and click on the Immunize button. Do this everytime you update Spybot since it may also have updates for the Immunize feature.
Post back
sorry about internet explorer. i dont use it anymore, i just checked it to see if any of the tests i ran recently got rid of any of the symptoms of the malware. knwing now that i can reinstall alot of malware doing this, i wont open internet explorer anymore.
Now we want to download and run Hijack This .
This is the latest version over @ short-media.com.
Then copy and post the log here.
heres the lodfile:
Logfile of HijackThis v1.99.1
Scan saved at 10:13:44 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.EXE
C:\Stuff\Utilities\Avast\aswUpdSv.exe
C:\Stuff\Utilities\Avast\ashServ.exe
C:\Stuff\UTILIT~1\AVG\avgamsvr.exe
C:\Stuff\UTILIT~1\AVG\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Stuff\Utilities\CPUCooL\CooLSrv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Stuff\Multimedia and Misc\ITunes\iTunesHelper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Stuff\UTILIT~1\AVG\avgcc.exe
C:\Stuff\UTILIT~1\Avast\ashDisp.exe
C:\stuff\games-loaded\demos\half life 2\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Stuff\Utilities\Avast\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Stuff\Utilities\Avast\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Stuff\Downloads\hijackthis_199\HijackThis.exe
OK, I'm going to go through the hijack this log and determine what needs to be deleted.
If, You go on the net, in the meantime, don't use IE, only use firefox. And don't go to any sites that your not sure of being safe. And don't download or install anything.
We're almost there, so be patient.
I'll post back tommorrow with results.
Abe, Run it again and post the full length of the logfile.
When you open hijack this hit (Do a system scan and save a logfile) and it will open notepad with the logfile in it. Hit the (Edit) button and on the dropdown list hit (Select All)....
example;
Then after the field turns blue hit (Edit) again and hit copy....
example;
Then paste it here... That way your sure to get the whole thing.
Logfile of HijackThis v1.99.1
Scan saved at 10:50:47 AM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.EXE
C:\Stuff\Utilities\Avast\aswUpdSv.exe
C:\Stuff\Utilities\Avast\ashServ.exe
C:\Stuff\UTILIT~1\AVG\avgamsvr.exe
C:\Stuff\UTILIT~1\AVG\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Stuff\Utilities\CPUCooL\CooLSrv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Stuff\Multimedia and Misc\ITunes\iTunesHelper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Stuff\UTILIT~1\AVG\avgcc.exe
C:\Stuff\UTILIT~1\Avast\ashDisp.exe
C:\stuff\games-loaded\demos\half life 2\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Stuff\Utilities\Avast\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Stuff\Utilities\Avast\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Stuff\Multimedia and Misc\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Stuff\Downloads\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fqrfc.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fqrfc.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fqrfc.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fqrfc.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fqrfc.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00E97FF9-C2D5-30AF-2580-1DF6C99280CB} - C:\WINDOWS\system32\ipza.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Stuff\Multimedia and Misc\ITunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ipod32.exe] C:\WINDOWS\ipod32.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\Stuff\UTILIT~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\Stuff\UTILIT~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Steam] "c:\stuff\games-loaded\demos\half life 2\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Windows.hta
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Stuff\Multimedia and Misc\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Stuff\Utilities\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Stuff\Utilities\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Stuff\Utilities\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Stuff\Utilities\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Stuff\UTILIT~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Stuff\UTILIT~1\AVG\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Stuff\Utilities\CPUCooL\CooLSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Groove Games Licensing Service - Groove Games - C:\Program Files\Common Files\Groove Games Shared\Service\ggameslicsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Step 1
Download this tool called AboutBuster http://www.downloads.subratam.org/AboutBuster.zip
Unzip it to your desktop but don't run it yet.
Step 2
Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.
Step 3
Make sure your PC is configured to show hidden files.
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
Step 4
Reboot to Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.
Step 5
Scan with Hijack This and put checks next to all the following, then click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fqrfc.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fqrfc.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fqrfc.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fqrfc.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fqrfc.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00E97FF9-C2D5-30AF-2580-1DF6C99280CB} - C:\WINDOWS\system32\ipza.dll (file missing)
O4 - HKLM\..\Run: [ipod32.exe] C:\WINDOWS\ipod32.exe
O4 - Global Startup: Microsoft Windows.hta
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
and delete the following files if present(do not be concerned if some do not exist).
C:\WINDOWS\system32\fqrfc.dll
C:\WINDOWS\system32\ipza.dll
C:\WINDOWS\ipod32.exe
C:\WINDOWS\Microsoft Windows.hta
C:\WINDOWS\System32\Microsoft Windows.hta
C:\Program Files\Ebates_MoeMoneyMaker\ (the entire Ebates_ folder)
Step 6
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
Step 7
Scan with Adaware and let it remove any bad files found.
Step 8
Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
Step 9
Reboot to normal mode, scan again with Hijack This and post a new log here.
Step 10
Finally, do an online scan at one of the following sites. Let it remove any infected files found.
http://housecall.antivirus.com
or
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Post a fresh HijackThis log and the AboutBuster report back here please.
Your assistance in this matter is greatly appreciated.
I'm off to take a nice hot soak in the bubble bath now! Thnx again friend.