[Fixed] serious issues

Swizzleskin · 07-03-2007

Hi everyone, I am having issues I have never seen before, it all started about2 weeks ago when I started getting pop-ups on Iexplorer, at that point I tried to do a system restore, however whatever infected my pc deleted all of my restore points, and disabled system restore. I tried hijack this, cwshredder, adaware, and trend micro online virus scan, they all said they cleaned everything however as of lastnight I have further issues, when I boot there are times when explorer.exe does not initialize, so I would just manually start it through task manager, however now when I try to start taskmanager it tells me it has been turned off by my administrator, on start-up sometimes explorer.exe does not initialize so I have to re-boot, other times explorer.exe will initialize however when my desktop loads I can not access anyting on my desktop or my start menu, and of course ctrl-alt-del tells me task manager is disabled, so I can only reboot, and it does not let me into anything ever. I have gone into safe mode and from there I can still access task manager and everything else I need, I ran ad-aware in safe mode and it told me it removed all malware, greyware and viruses, but when I boot again in normal mode it still goes back to its same issues. help, help, help. I am at work right now but will try to find a way to post a hijack this log after work if possible.

Thanks,
Jody

Pancake · 07-03-2007

Please read this.....

http://www.pchelpforum.com/hijackthi...a-prework.html

Swizzleskin · 07-03-2007

Logfile of HijackThis v1.99.1
Scan saved at 5:24:45 PM, on 03/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = DRUDGE REPORT 2007®
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {335DB538-08BF-4CB6-9E85-002757D58844} - C:\WINDOWS\System32\buietxqd.dll
O2 - BHO: (no name) - {8AFF5B01-AA71-41C2-96B6-0B00BA04EFBE} - c:\windows\system32\qcmqrsan.dll
O2 - BHO: (no name) - {BB4F8A43-FBC3-44DE-BC72-41046C81C506} - C:\WINDOWS\System32\buietxqd.dll
O2 - BHO: (no name) - {D3461BCE-9D4D-42C9-BE29-35837F57F9B7} - c:\windows\system32\boecboe.dll
O2 - BHO: CIEPl Object - {F3727275-224F-4AB0-8642-7D461EFB82D8} - C:\WINDOWS\system32\dmjkm.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe
O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\nvhsharw.dll",setvm
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe
O4 - HKCU\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKCU\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKCU\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKCU\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKCU\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O20 - AppInit_DLLs: cmdl32.dll
O20 - Winlogon Notify: dmjkm - C:\WINDOWS\SYSTEM32\dmjkm.dll
O20 - Winlogon Notify: jlgii - C:\WINDOWS\SYSTEM32\jlgii.dll
O20 - Winlogon Notify: wkunafnp - C:\WINDOWS\SYSTEM32\boecboe.dll
O20 - Winlogon Notify: ws_3s32 - C:\WINDOWS\SYSTEM32\ws_3s32.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Jolcoo32.dll (file missing)
O21 - SSODL: JtWWPczcl - {ECA19705-460B-3DAF-49A9-EC1ABFE6CE54} - C:\WINDOWS\system32\xpe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\System32\.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

I had some issues in following the directions in pancakes post, when avg finished there was no report, I ran it again and it only found 4 problems instead of 156, but still no report available to save (all settings were changed as per the directions). I can now boot in normal mode, but I am getting browser re-directs everytime I click a link (monstermarketplace and the likes) because I previously couldn't boot in normal mode I was unable to do the super-anti spyware program. Should I do it now that I can boot normally, and should I have done that before the hjt log???

Thanks
Swizz

Swizzleskin · 07-04-2007

I have followed all directions to get me to this point. I have been getting pop-ups while using internet explorer 6.0, my computer re-boots for no apparent reason, when I would boot to normal mode explorer.exe would not initialize, I was able to use task manager to start explorer.exe.....until suddenly the system told me that "task manager has been disabled by your administrator" when I boot into normal mode I seem to be ok.
I have now run AVG it will not leave me a report (or I don't understand where it is) but it found:
downloader.agent.uj,
6 cookies (.advertising .atdmt .fastclick .webtrends .tacoda .tribalfusion)
dropper.small.j
not-a-virus.exploit.js.ADODB.stream.ac
hijacker.small.cc

then I ran Super Anti I ran it once earlier in a failed attempt, and then a second time, the first failed try had over 100 errors, the second only has 42, both files are attached.

then I ran CCleaner and it removed all items it found

Then I ran hjt and the log is attached.

please let me know what to do next, was I supposed to do anything with hjt, or just run it and show you the log??

I have a pentium 4 2.60GHz with 1Gb of ram, I am running windowsXP. I have 2 drives master "C" and slave "F"
I have not installed new software or hardware other than the ones in the prework requirement.
Thanks a million (that's a million times, not dollars...sorry)
Swizz

Swizzleskin · 07-04-2007

pancake, can you close this thread for me, I followed your directions in a new thread, done proper.

Swizz

<edit> merged threads - valis

Pancake · 07-04-2007

Hi
You have a bit of a mess to sort out so I want you to run bothe these applications and post the logs back here....

Please download Combofix from here: http://download.bleepingcomputer.com/sUBs/combofix.exe
Or
http://www.techsupportforum.com/sect...s/ComboFix.exe
** Take note that the links are case sensitive

Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

==============================

Download and scan with Ewido Anti-Spyware v4.0
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\ewido anti-spyware 4.0, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on ewdio in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc

Press "OK".
Click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.

9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the Ewido Full database installer from here.

Once the updates are installed do the following:
1. Click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
Under "How to Scan?" check all (default).
Under "Possibly unwanted software" check all (default).
Under "What to Scan?" make sure "Scan every file" is selected (default).
Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\ewido anti-spyware 4.0\Reports\
6. Exit Ewido when done and submit the log report in your next response.

Note: Close all open windows, programs, and DO NOT USE the computer while Ewido is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper Ewido's ability to clean properly and may result in reinfection.

Note: If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:
1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.

Swizzleskin · 07-05-2007

I can not seem to get combofix to complete its scan, there is a log attached, but the program never seemed to have an end, I waited 55 minutes and finally closed the application. when I was doing Ewido it told me that it couldn't delete a file titled errorsafenewreleaseinstaller(1).cab because it was embedded in the archive of the above mentioned file, I chose to quarantine the whole folder.

Combofix, Ewido, and hjt logs are all attached.

pop-ups and crashes are the theme of the day.

Thanks,
Swizz

07-03-2007	#1
Swizzleskin Silver Member Join Date: Feb 2007 Posts: 187	[Fixed] serious issues Hi everyone, I am having issues I have never seen before, it all started about2 weeks ago when I started getting pop-ups on Iexplorer, at that point I tried to do a system restore, however whatever infected my pc deleted all of my restore points, and disabled system restore. I tried hijack this, cwshredder, adaware, and trend micro online virus scan, they all said they cleaned everything however as of lastnight I have further issues, when I boot there are times when explorer.exe does not initialize, so I would just manually start it through task manager, however now when I try to start taskmanager it tells me it has been turned off by my administrator, on start-up sometimes explorer.exe does not initialize so I have to re-boot, other times explorer.exe will initialize however when my desktop loads I can not access anyting on my desktop or my start menu, and of course ctrl-alt-del tells me task manager is disabled, so I can only reboot, and it does not let me into anything ever. I have gone into safe mode and from there I can still access task manager and everything else I need, I ran ad-aware in safe mode and it told me it removed all malware, greyware and viruses, but when I boot again in normal mode it still goes back to its same issues. help, help, help. I am at work right now but will try to find a way to post a hijack this log after work if possible. Thanks, Jody

07-03-2007	#2
Pancake Senior Security Analyst Join Date: Jun 2006 Location: Victoria, Australia Posts: 8,304 PC Experience: Elite PC Guru	Please read this..... http://www.pchelpforum.com/hijackthi...a-prework.html __________________ An Australian Member of My real name is Eddy

07-03-2007	#3
Swizzleskin Silver Member Join Date: Feb 2007 Posts: 187	here is my hjt log Logfile of HijackThis v1.99.1 Scan saved at 5:24:45 PM, on 03/07/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Rogers\SelfHealing\rogersagent.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe C:\WINDOWS\System32\wdfmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = DRUDGE REPORT 2007® R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O2 - BHO: (no name) - {335DB538-08BF-4CB6-9E85-002757D58844} - C:\WINDOWS\System32\buietxqd.dll O2 - BHO: (no name) - {8AFF5B01-AA71-41C2-96B6-0B00BA04EFBE} - c:\windows\system32\qcmqrsan.dll O2 - BHO: (no name) - {BB4F8A43-FBC3-44DE-BC72-41046C81C506} - C:\WINDOWS\System32\buietxqd.dll O2 - BHO: (no name) - {D3461BCE-9D4D-42C9-BE29-35837F57F9B7} - c:\windows\system32\boecboe.dll O2 - BHO: CIEPl Object - {F3727275-224F-4AB0-8642-7D461EFB82D8} - C:\WINDOWS\system32\dmjkm.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] - O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\nvhsharw.dll",setvm O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background O4 - HKCU\..\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe O4 - HKCU\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe O4 - HKCU\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe O4 - HKCU\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe O4 - HKCU\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe O4 - HKCU\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll O20 - AppInit_DLLs: cmdl32.dll O20 - Winlogon Notify: dmjkm - C:\WINDOWS\SYSTEM32\dmjkm.dll O20 - Winlogon Notify: jlgii - C:\WINDOWS\SYSTEM32\jlgii.dll O20 - Winlogon Notify: wkunafnp - C:\WINDOWS\SYSTEM32\boecboe.dll O20 - Winlogon Notify: ws_3s32 - C:\WINDOWS\SYSTEM32\ws_3s32.dll O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Jolcoo32.dll (file missing) O21 - SSODL: JtWWPczcl - {ECA19705-460B-3DAF-49A9-EC1ABFE6CE54} - C:\WINDOWS\system32\xpe.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\System32\.exe (file missing) O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE I had some issues in following the directions in pancakes post, when avg finished there was no report, I ran it again and it only found 4 problems instead of 156, but still no report available to save (all settings were changed as per the directions). I can now boot in normal mode, but I am getting browser re-directs everytime I click a link (monstermarketplace and the likes) because I previously couldn't boot in normal mode I was unable to do the super-anti spyware program. Should I do it now that I can boot normally, and should I have done that before the hjt log??? Thanks Swizz

07-04-2007	#5
Swizzleskin Silver Member Join Date: Feb 2007 Posts: 187	pancake, can you close this thread for me, I followed your directions in a new thread, done proper. Swizz <edit> merged threads - valis Last edited by valis; 07-04-2007 at 01:19 AM.

07-04-2007	#6
Pancake Senior Security Analyst Join Date: Jun 2006 Location: Victoria, Australia Posts: 8,304 PC Experience: Elite PC Guru	Hi You have a bit of a mess to sort out so I want you to run bothe these applications and post the logs back here.... Please download Combofix from here: http://download.bleepingcomputer.com/sUBs/combofix.exe Or http://www.techsupportforum.com/sect...s/ComboFix.exe Take note that the links are case sensitive Save ComboFix to the desktop. 1. Double click on combo.exe & follow the prompts. 2. When finished, it will produce a logfile located at C:\ComboFix.txt. 3. Post the contents of that log in your next reply with a new hijackthis log. Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. ============================== Download and scan with Ewido Anti-Spyware v4.0 1. After download, double click on the file to launch the install process. 2. Choose a language, click "OK" and then click "Next*". 3. Read the "License Agreement" and click "I Agree". 4. Accept default installation path: C:\Program Files\ewido anti-spyware 4.0, click "Next", then click "Install". 5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray. 6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. 7. Then right click on ewdio in the system tray and uncheck* "Start with Windows". 8. Go to Start > Run and type: services.msc Press "OK". Click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard. When you find the guard service, double-click on it. In the Properties Window > General Tab that opens, click the "Stop" button. From the drop-down menu next to "Startup Type", click on "Manual". Now click "Apply", then "OK" and close the Services window. 9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the Ewido Full database installer from here. Once the updates are installed do the following: 1. Click on the "Scanner" button and choose the "Settings" tab. Under "*How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware. Under "How to Scan?" check all (default). Under "Possibly unwanted software" check all (default). Under "What to Scan?" make sure "Scan every file" is selected (default). Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found". 2. Click the "Scan" tab to return to scanning options. 3. Click "Complete System Scan" to start. 4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine. IMPORTANT!* Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button? 5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "*Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\ewido anti-spyware 4.0\Reports\ 6. Exit Ewido when done and submit the log report in your next response. Note: Close all open windows, programs, and DO NOT USE the computer while Ewido is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper Ewido's ability to clean properly and may result in reinfection. Note: If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this: 1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder. 2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan. __________________ An Australian Member of* My real name is Eddy

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode