Ryan Posted November 10, 2007 ID:9826 Share Posted November 10, 2007 (edited) I started noticing a week or so ago that when I clicked on links that normal work I would receive a "page cannot be loaded, firefox can't open www.apmebf.com" then there's one something like www. xzyrl?? I can't remember exactly. Anyway, I read in another post someone else had this problem. Also, a page keeps opening with no reason called WinButler. So, I'm in safemode right now, and heres' my copy of the hijackthis log. Any help will be much appreciated. Thanks, Ryan Edited November 10, 2007 by JeanInMontana To remove partial HJT log Link to post Share on other sites More sharing options...
JeanInMontana Posted November 10, 2007 ID:9837 Share Posted November 10, 2007 Hi there Ryan, and welcome to Malwarebytes. I removed the partial HJT log you posted. The log was missing vital components, please be sure to copy and past the entire log into your replies.If you haven't already, please get these programs, update and run a complete scan removing all items found.Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this.AVG AntiSpyware Be sure to "take action"Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures. Link to post Share on other sites More sharing options...
Ryan Posted November 11, 2007 Author ID:9850 Share Posted November 11, 2007 Hi Jean, thanks for the welcome and the help. I'm not sure if what's happened with the logs, or lack of them, is going to be much help to you though. So far the main problem with my comp has been not being able to use the links that I know are good. The popups aren't bad, yet anyway. I have the Spybot S&D and keep it up to date, I've got the log and did the immunization like you said. I also use AVG Antispyware and I've ran it twice since I read your post and it's not giving me a log, just saying 'Scan complete, no problems found' I've tried to run Panda three times( doing everything you said in the tutorial) the scan goes along fine until it just shuts down the browser ( I use Firefox normally but use the IE tab when needed, like with the scan) about 10-15 minutes into the scan without warning, just gone. So, it looks like all I have is the HJT log, except for the S&D one. I'm sorry, I have tried for more. I did delete the WinButler on my HJT from yesterday when I saw the post from someone else here about Winbutler and thought I'd be able to do it myself, not realizing that the logs would be that different. What a difference a day can make! Again, thank you for helping, I sure appreciate it. RyanLogfile of Trend Micro HijackThis v2.0.2Scan saved at 6:31:32 PM, on 11/10/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\ClocX\ClocX.exeC:\Program Files\Yahoo!\Messenger\YahooMessenger.exeC:\Program Files\Glary Utilities\memdefrag.exeC:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exeC:\Program Files\SpyCatcher\Protector.exeC:\Program Files\SpyCatcher\Scheduler daemon.exeC:\PROGRA~1\INCRED~1\bin\ImApp.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stopzilla.com/director/?type=AP...&topic=5055R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dllO2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dllO3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [spyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminderO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silentO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -offO4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /cO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostartO4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /MinimizedO4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exeO8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htmO8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htmO8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htmO8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htmO8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.htmlO8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dllO9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190430738906O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - AppInit_DLLs: secuload.dllO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe--End of file - 7946 bytesThis is all there is, hope it's enough. Link to post Share on other sites More sharing options...
JeanInMontana Posted November 12, 2007 ID:9890 Share Posted November 12, 2007 Use IE for Panda, not Firefox. Make sure it is in your trusted zones and allow the active x install.Run HJT again and put a check next to this item and click fix.O20 - AppInit_DLLs: secuload.dll1. Download this file :http://www.techsupportforum.com/sectools/combofix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall Link to post Share on other sites More sharing options...
Ryan Posted November 13, 2007 Author ID:9910 Share Posted November 13, 2007 I found where Winbutler came from, it was in bitcomet back up? Don't know how that happen, I've tried shredding it but it's stillt here. Also, tried to delete the 020. you said with HJT but it's still there too. Here's the logs for HJT and Combofix. Thanks again.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:42:32 PM, on 11/12/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\ClocX\ClocX.exeC:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exeC:\Program Files\Yahoo!\Messenger\YahooMessenger.exeC:\Program Files\Glary Utilities\memdefrag.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\INCRED~1\bin\ImApp.exeC:\Program Files\SpyCatcher\Scheduler daemon.exeC:\Program Files\Pando Networks\Pando\pando.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stopzilla.com/director/?type=AP...&topic=5055R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dllO2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dllO3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [spyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminderO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silentO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -offO4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exeO4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /cO4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostartO4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscanO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exeO8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htmO8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htmO8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htmO8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htmO8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.htmlO8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dllO9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190430738906O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - AppInit_DLLs: secuload.dllO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe--End of file - 9004 bytes Link to post Share on other sites More sharing options...
Ryan Posted November 13, 2007 Author ID:9911 Share Posted November 13, 2007 Here's the combofix log. Sure hope they help you.ComboFix 07-11-08.1 - Kat 2007-11-12 23:25:13.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.114 [GMT -6:00]Running from: C:\Documents and Settings\Kat\My Documents\downloaded\ComboFix(3).exe * Created a new restore point.((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 ))))))))))))))))))))))))))))))).2007-11-12 22:41 51,200 --a------ C:\WINDOWS\NirCmd.exe2007-11-12 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft2007-11-12 20:31 <DIR> d-------- C:\Program Files\Common Files\supportsoft2007-11-12 20:31 <DIR> d-------- C:\Program Files\Comcast2007-11-12 08:36 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll2007-11-12 08:36 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat2007-11-12 08:36 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll2007-11-12 08:36 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll2007-11-12 08:36 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll2007-11-12 08:36 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll2007-11-12 08:36 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll2007-11-12 08:36 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe2007-11-12 08:30 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll2007-11-12 04:34 <DIR> d-------- C:\Program Files\Dell2007-11-12 04:34 53,248 --a------ C:\WINDOWS\system32\DellSys.dll2007-11-12 04:34 17,153 --a------ C:\WINDOWS\system32\drivers\omci.sys2007-11-12 03:33 <DIR> d-------- C:\Program Files\Intel Corporation2007-11-12 03:02 <DIR> d-------- C:\Program Files\Security Task Manager2007-11-12 03:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan2007-11-11 19:30 <DIR> d-------- C:\WINDOWS\Sun2007-11-10 13:23 <DIR> d-------- C:\WINDOWS\system32\ActiveScan2007-11-09 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm2007-11-09 22:58 <DIR> d-------- C:\Program Files\Siber Systems2007-11-09 03:24 <DIR> d-------- C:\Program Files\Trend Micro2007-11-04 20:16 <DIR> d-------- C:\Documents and Settings\Kat\Application Data\Move Networks2007-11-02 13:12 152,064 --a------ C:\WINDOWS\snap.dat2007-11-02 13:01 <DIR> d-------- C:\WINDOWS\Setup2K2007-11-02 13:01 119,798 --a------ C:\WINDOWS\system32\drivers\spca561.sys2007-11-02 13:01 118,784 --a------ C:\WINDOWS\ShowBmp.exe2007-11-02 13:01 53,248 --a------ C:\WINDOWS\ap561.exe2007-10-23 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2007-10-21 20:00 <DIR> d-------- C:\Program Files\ClocX2007-10-21 11:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP2007-10-21 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools2007-10-20 23:33 <DIR> d-------- C:\WINDOWS\pss2007-10-20 22:28 <DIR> d-------- C:\Documents and Settings\Kat\Application Data\Uniblue2007-10-20 22:17 <DIR> d-------- C:\Downloads2007-10-20 22:17 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll2007-10-19 12:10 <DIR> d-------- C:\Documents and Settings\Kat\Application Data\Grisoft2007-10-19 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft2007-10-19 12:09 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys2007-10-18 22:26 <DIR> d-------- C:\Documents and Settings\Kat\Application Data\Jasc2007-10-18 18:28 <DIR> d-------- C:\Program Files\Common Files\Desktop Weather Authority2007-10-18 18:28 61,440 --a------ C:\WINDOWS\wnUninstall.exe2007-10-18 16:46 <DIR> d-------- C:\Program Files\Apple Software Update2007-10-18 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple2007-10-17 23:29 <DIR> d-------- C:\Documents and Settings\Kat\Application Data\Lavasoft2007-10-17 22:57 <DIR> d-------- C:\Program Files\BitComet2007-10-15 16:25 <DIR> d-------- C:\Program Files\Java2007-10-15 16:24 <DIR> d-------- C:\Program Files\Common Files\Java2007-10-13 17:36 <DIR> d-------- C:\Program Files\BearShare2007-10-13 17:36 <DIR> d-------- C:\My Downloads2007-10-13 16:38 <DIR> d-------- C:\Program Files\Windows Media Connect 22007-10-13 16:36 <DIR> d-------- C:\WINDOWS\system32\drivers\umdf2007-10-13 16:31 <DIR> d-------- C:\Program Files\BearShare Applications.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2007-11-12 10:34 --------- d--h--w C:\Program Files\InstallShield Installation Information2007-11-11 23:42 --------- d-----w C:\Documents and Settings\Kat\Application Data\GlarySoft2007-11-11 00:00 --------- d-----w C:\Program Files\SpyCatcher2007-11-10 23:55 --------- d-----w C:\Program Files\Glary Utilities2007-11-08 21:30 10 ----a-w C:\Program Files\.autoreg2007-11-07 03:56 --------- d-----w C:\Program Files\SpywareBlaster2007-10-23 21:19 --------- d-----w C:\Program Files\IncrediMail2007-10-22 19:08 --------- d-----w C:\Program Files\Corel2007-10-22 18:46 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys2007-10-22 02:13 --------- d-----w C:\Program Files\STOPzilla!2007-10-22 02:13 --------- d-----w C:\Program Files\Say the Time2007-10-22 02:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!2007-10-10 21:27 --------- d-----w C:\Program Files\Common Files\xing shared2007-10-10 21:27 --------- d-----w C:\Program Files\Common Files\Real2007-10-10 21:26 --------- d-----w C:\Program Files\Real2007-10-10 06:13 --------- d-----w C:\Program Files\Essentials Codec Pack2007-10-09 21:16 --------- d-----w C:\Program Files\Veo Digital Studio2007-10-09 21:15 --------- d-----w C:\Program Files\Veo Stingray2007-10-09 03:16 --------- d-----w C:\Program Files\FxFoto2007-10-08 04:05 --------- d-----w C:\Documents and Settings\Kat\Application Data\FxFotoDB2007-10-08 01:11 --------- d-----w C:\Program Files\7-Zip2007-10-07 20:02 --------- d-----w C:\Program Files\Qnext2007-10-06 17:51 --------- d-----w C:\Documents and Settings\Kat\Application Data\Apple Computer2007-10-03 16:47 --------- d-----w C:\Documents and Settings\Kat\Application Data\Corel2007-10-03 16:42 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys2007-10-03 05:15 --------- d-----w C:\Program Files\QuickTime2007-10-03 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer2007-10-01 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel2007-09-30 04:56 --------- d-----w C:\Program Files\Intel2007-09-30 04:22 --------- d-----w C:\Documents and Settings\Kat\Application Data\Yahoo!2007-09-28 17:33 --------- d-----w C:\Program Files\3Com2007-09-28 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix2007-09-28 14:31 --------- d-----w C:\Program Files\Common Files\InstallShield2007-09-27 09:59 --------- d-----w C:\Program Files\AusLogics Registry Defrag2007-09-27 04:19 --------- d-----w C:\Program Files\TechSmith2007-09-27 04:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard2007-09-27 00:51 --------- d-----w C:\Program Files\Jasc Software Inc2007-09-26 23:56 --------- d-----w C:\Program Files\Common Files\Jasc Software Inc2007-09-26 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield2007-09-26 23:55 --------- d-----w C:\Documents and Settings\Kat\Application Data\Jasc Software Inc2007-09-26 18:05 --------- d-----w C:\Program Files\Pando Networks2007-09-26 16:44 --------- d-----w C:\Program Files\ASTRA322007-09-25 03:15 --------- d-----w C:\Documents and Settings\Kat\Application Data\Tenebril2007-09-22 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion2007-09-22 03:53 --------- d-----w C:\Program Files\Yahoo!2007-09-22 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!2007-09-22 03:20 --------- d-----w C:\Program Files\Analog Devices2007-09-22 02:07 --------- d-----w C:\Program Files\Common Files\iS32007-09-22 01:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft2007-09-22 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tenebril2007-09-22 00:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Tenebril2007-09-21 23:30 --------- d-----w C:\Program Files\Alwil Software2007-09-21 23:02 --------- d-----w C:\Program Files\microsoft frontpage2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll2007-08-14 00:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll2007-08-14 00:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll2007-08-14 00:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll2007-08-14 00:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll2007-08-14 00:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll2007-08-14 00:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll2007-08-14 00:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll2007-08-14 00:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe2007-08-14 00:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll2003-08-05 16:41 53,248 ----a-w C:\WINDOWS\inf\ap561.exe2002-11-26 21:24 32,768 ----a-w C:\WINDOWS\inf\Remove561.exe2002-11-22 20:56 118,784 ----a-w C:\WINDOWS\inf\ShowBmp.exe2002-10-29 23:07 36,864 ----a-w C:\WINDOWS\inf\Setup8a.exe2002-10-01 19:43 119,798 ----a-w C:\WINDOWS\inf\spca561.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06]"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [2007-07-09 08:56]"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 06:59]"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 06:59]"1A:Stardock TrayMonitor"="" []"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 10:44]"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]"TCASUTIEXE"="TCAUDIAG -off" []"ClocX"="C:\Program Files\ClocX\ClocX.exe" [2004-04-13 08:12]"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 14:21]"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 15:43]"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 11:02]"Glary Memory Optimizer"="C:\Program Files\Glary Utilities\memdefrag.exe" [2007-10-09 08:07]"HijackThis startup scan"="C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" [2007-11-09 03:24]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]"1A:Stardock TrayMonitor"=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2007-09-21 18:09:45]C:\Documents and Settings\Kat\Start Menu\Programs\Startup\Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2007-09-21 18:09:45][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=secuload.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Notification Packages"= :\WINDOWS\syste[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Weather Authority.lnk]backup=C:\WINDOWS\pss\Desktop Weather Authority.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 7.lnk]backup=C:\WINDOWS\pss\SnagIt 7.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]"C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;\??\C:\Program Files\ASTRA32\ASTRA32.sysR2 tcaicchg;tcaicchg;\??\C:\WINDOWS\System32\tcaicchg.sysR2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sysS3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys*Newly Created Service* - CATCHME.Contents of the 'Scheduled Tasks' folder"2007-11-08 04:02:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe"2007-11-12 11:22:48 C:\WINDOWS\Tasks\glaryoneclickoptimizer.job"- C:\Program Files\Glary Utilities\oneclickoptimizer.exe"2007-11-12 12:08:08 C:\WINDOWS\Tasks\glaryupdate.job"- C:\Program Files\Glary Utilities\webupdate.exe"2007-11-10 05:27:15 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe"2007-10-21 04:27:55 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe.**************************************************************************catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2007-11-12 23:31:44Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2007-11-12 23:33:48. --- E O F --- Link to post Share on other sites More sharing options...
JeanInMontana Posted November 13, 2007 ID:9933 Share Posted November 13, 2007 Did you put a check next to the item in HJT and click fix? It's still in your log. I would like you to run the Panda scan with IE and post that log too please. Link to post Share on other sites More sharing options...
Ryan Posted November 14, 2007 Author ID:9956 Share Posted November 14, 2007 Hi, I've put the check next to O20 - AppInit_DLLs: secuload.dll repeatedly and it puts it in backup and when I run the scan right afterwards it back again. I've found the WinButler in backup also along with the Bitcomet program it was installed with. I've shredded them repeatedly to but there they are again, in backup. Atleast the only thing that keeps reappearing in the scan log is the 020 one. I've also tried the Panda scan 5 different times, 4 with IE, turning off my virus and spyware protection, but it will not scan longer than about 15 minutes then closes. I am at a loss here but please don't give up on me,ok? Thanks, Ryan Link to post Share on other sites More sharing options...
JeanInMontana Posted November 14, 2007 ID:9968 Share Posted November 14, 2007 Hi Ryan, I am not giving up. That's against policy. You gave me good information most likely by accident. Uninstall BitComet ASAP. Using P2P is very risky and most of the time not legal.Now let's try this. Be sure you have uninstalled BitComet and deleted all files associated with it.Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Post back the log from Smitfraud and a new HJT. Link to post Share on other sites More sharing options...
Ryan Posted November 15, 2007 Author ID:9990 Share Posted November 15, 2007 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~PART THREE Link to post Share on other sites More sharing options...
Ryan Posted November 15, 2007 Author ID:9991 Share Posted November 15, 2007 And finally! The HJT log. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:42:39 AM, on 11/16/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\ClocX\ClocX.exeC:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exeC:\Program Files\Yahoo!\Messenger\YahooMessenger.exeC:\Program Files\Glary Utilities\memdefrag.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exeC:\Program Files\Pando Networks\Pando\Pando.exeC:\Program Files\SpyCatcher\Scheduler daemon.exeC:\PROGRA~1\INCRED~1\bin\ImApp.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stopzilla.com/director/?type=AP...&topic=5055R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dllO2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dllO3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [spyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminderO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silentO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -offO4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exeO4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /cO4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostartO4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscanO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /MinimizedO4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exeO8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htmO8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTMO8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTMO8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.htmlO8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTMO8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTMO8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190430738906O20 - AppInit_DLLs: secuload.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe--End of file - 6939 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted November 16, 2007 ID:10024 Share Posted November 16, 2007 Yes these machines can do strange things to us. This is a stubborn one for every one. Let's do this. Get the program below and paste this file name into it C:\WINDOWS\system32\secuload.dllAuthor: Option^Explicit Download LocationLicense: Freeware KillBox Download Link http://download.bleepingcomputer.com/spyware/KillBox.exeOperating System: WindowsFile Description:Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.Usage Information:Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.Post a new log and give me feedback on how your system is running...have a good lunch, you need your strength. Link to post Share on other sites More sharing options...
Ryan Posted November 17, 2007 Author ID:10039 Share Posted November 17, 2007 Hi again, Jean, I've decided in case of nuclear blast climb under this file! Here's the log, wish I had better news.... Just tell me this thing is curable? It's going to take a serious steak dinner and all I can eat salad buffet to get through this one, isn't it? Thanks again for your patience, Ryan Pocket Killbox version 2.0.0.881Running on Windows XP as Kat(Administrator)was started @ Saturday, November 17, 2007, 4:40 PM# 1 [Files to Delete]Path = C:\WINDOWS\system32\secuload.dll*This File could not be Deleted# 2 [Files to Delete]Path = C:\WINDOWS\system32\secuload.dll*This File could not be DeletedKillbox Closed(Exit) @ 4:43:19 PM__________________________________________________ Link to post Share on other sites More sharing options...
JeanInMontana Posted November 17, 2007 ID:10055 Share Posted November 17, 2007 I think we both may need that steak & salad. I don't recall off hand Killbox failing if the file actually existed. Can you navigate to the file a delete manually? Make sure the system is set to show hidden files and folder.Please set your system to show all files; Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.I will seek advice from smarter people also. Link to post Share on other sites More sharing options...
Ryan Posted November 18, 2007 Author ID:10104 Share Posted November 18, 2007 Hi Jean, I think I've finally got some good news! You know how Killbox said it couldn't kill the secuload.dll ? I went in and opened the Killbox file and found two things in it about secuload.dll. When I checked properties I found it belonged to my Spycatcher, said it was Tenebril.inc security loader, a module required by Spycatcher. I've uninstalled Spycatcher and then ran HJT in safe mode and it's finally gone. I'll post the log below. But, I checked processes in Task manager and found something called SYSENF~1.EXE. When I googled it it came back as a bad thing to have happening and what I read said to end process immediatly. Then I went in an found the file, and wiped it with Galaxy Utilities which is in my right click menu. It still left 3 things so wiped them individually. Then went in to safemode and tried to run Smitfraudfix but it stopped after I clicked y for clean reg. I waited about 5 minutes then had to do a hard shutdown. One thing it did show was something called, said it was being used somewhere. I wasn't able to get a log on it.C:\Docum~1\Kat\locals~1\temp\Perflip_Perfdata_978.dat I have no idea what this is, but with the ~ and 1 I'm wondering if it's related to the Sysenf~1.exe? Anyway, it looks like we've gotten an answer to why we couldn't fix or kill the dll thing now if you could help me figure out this other thing? Wish I knew of other words other than "thanks" as I've said it a hundred times already but...? So, THANK YOU for all the help and humor, you've made this pain in the bum a much easier thing to deal with. I hope you've had a nice peaceful weekend and so, till tomorrow..... Take good care, Ryan~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:03:16 PM, on 11/18/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: Safe modeRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Documents and Settings\Kat\My Documents\Hi Jack This all\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stopzilla.com/director/?type=AP...&topic=5055R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dllO3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silentO4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exeO4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /cO4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostartO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exeO8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htmO8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTMO8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTMO8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.htmlO8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTMO8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTMO8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190430738906O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe--End of file - 5509 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted November 19, 2007 ID:10127 Share Posted November 19, 2007 Eeeek! You should never do what you did. You can destroy your system not knowing what is what. It does look like you got the malware but wow, what a risky way to go. Let's clean this line with HJT:O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsFor an excellent list of reliable free firewalls and antivirus programs see here . Link to post Share on other sites More sharing options...
Ryan Posted November 20, 2007 Author ID:10142 Share Posted November 20, 2007 Hi Jean, I will never be able to explain how the word EEEEK! can turn one's blood to ice in less than 2 seconds. But the word CLEAN can start one's heart again so it worked out well. lol I did the HJT cleaning of that line and ran it again and it's gone so that's all good, right? I'm going to list the security prgms I've got on my XP pro, ( fine time to tell you that, huh?) I thought I really had it going on but if I could get this many problems apparently I didn't. I can handle that I'm not so cool, well not as much as I thought I was, but I do need to know what to get rid of, what to keep and what really is the right stuff. If you happen to have a couple of minutes free? I'd sure appreciate your advice, I've learned to trust your opinion. Here's what I've got: Avast av Galary UtilitiesSpybot S&DAvg Anti Spyware 7.5SpycatcherSpywareBlasterIntel Processor ID Utility ( can't remember what this one is for?)AdAware 2007Security Task ManagerNow I've got Smitfraudfix and Regcure, gonna keep them around for just incase.With all this I've still gotten bugs, don't want to do that again! lol Take good care and I'll see ya tomorrow. Thanks again RyanLogfile of Trend Micro HijackThis v2.0.2Scan saved at 4:42:02 PM, on 11/19/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\ClocX\ClocX.exeC:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exeC:\Program Files\Yahoo!\Messenger\YahooMessenger.exeC:\Program Files\Glary Utilities\memdefrag.exeC:\Program Files\SpyCatcher\Protector.exeC:\Program Files\SpyCatcher\Scheduler daemon.exeC:\PROGRA~1\INCRED~1\bin\ImApp.exeC:\Documents and Settings\Kat\My Documents\Hi Jack This all\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stopzilla.com/director/?type=AP...&topic=5055R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dllO3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silentO4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exeO4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2O4 - HKLM\..\Run: [spyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminderO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /cO4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostartO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exeO4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exeO8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htmO8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTMO8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTMO8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.htmlO8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTMO8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTMO8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190430738906O20 - AppInit_DLLs: secuload.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe--End of file - 6407 bytes Link to post Share on other sites More sharing options...
Ryan Posted November 20, 2007 Author ID:10149 Share Posted November 20, 2007 Hi Jean, I hate to have to bring this up but I'm still finding that I'm being redirected to sites that can't be found by links that I know are good. I was sent by the Intel® Processor ID utility back to their website but it couldn't be opened by Firefox or IE. It was 'www89.intel.com ' I did a search with google and got nothing, yahoo gave me one site: http://survey.netcraft.com/Reports/current...pers/intel.html It had it listed but when I clicked for info it said there wasn't any. I'm also still getting the www. apmebf.com redirect but "can't connect to site" which is the one that made me think I had problems to begin with about 3 weeks or so ago. What am I missing here? None of this has ever shown up on any of my protection or the scans we've be doing. Any ideas? My comp has just today started freezing up a lot too, never had that problem before. You're probably ready for me to run away from home and leave you alone, aren't you? Sorry to be such a pain. I surely owe you a big steak and salad bar dinner, hey, go ahead and order dessert too, you've earned it! Take care, RyanHere's the HJT log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:23:11 AM, on 11/20/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\ClocX\ClocX.exeC:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Yahoo!\Messenger\YahooMessenger.exeC:\Program Files\Glary Utilities\memdefrag.exeC:\Program Files\SpyCatcher\Protector.exeC:\PROGRA~1\INCRED~1\bin\ImApp.exeC:\Program Files\SpyCatcher\Scheduler daemon.exeC:\PROGRA~1\MOZILL~1\FIREFOX.EXEC:\Documents and Settings\Kat\My Documents\Hi Jack This all\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stopzilla.com/director/?type=AP...&topic=5055R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dllO3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silentO4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exeO4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2O4 - HKLM\..\Run: [spyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminderO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /cO4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostartO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exeO4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exeO8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htmO8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTMO8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTMO8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.htmlO8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTMO8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTMO8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190430738906O20 - AppInit_DLLs: secuload.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe--End of file - 6474 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted November 20, 2007 ID:10156 Share Posted November 20, 2007 OK, I know what your running for security, it all shows in your HJT log and the other things we have run. BUT RegCure is malware. EEEEKKKK !!!! Uninstall is ASAP. Get RogueRemover either a free trial of the pro version from the link in my signature or the free version from the downloads page on this site run a scan and remove everything it finds. Delete Combofix and Smitfraud from your system. Both are updated regularly and will be useless in a few days if not already. I don't see a firewall and that is crucial. The SP2 firewall is worthless.I see the bad file is back in your log. The 020 line Run RogueRemoverDo a Panda scan and post the results.Get a new Smitfraud, use the link previously, but not the one you have.Post that log and a new HJT. So that is 3 logs. Panda ....Smitfraud and HJT in that order please. Link to post Share on other sites More sharing options...
Ryan Posted November 23, 2007 Author ID:10249 Share Posted November 23, 2007 HI Jean, Hope you've had a good Thanksgiving? Who needs steak? lol I wanted to check back in and let you know I haven't ran away from home ( yet) but have had company in from out of town the last couple of days and it's been pretty hectic around here. I'll get on this in the morning and so, till then, lets sleep off the turkey. Ryan Link to post Share on other sites More sharing options...
Ryan Posted November 23, 2007 Author ID:10259 Share Posted November 23, 2007 Hello Jean, Hope you had a good day and had seconds on everything you like best, I know I did. Well, I've deleted everything you told me to and uninstalled others like Real Player, Quicktime, and Roboform. I think I'm going to get rid of Spycatcher too, it's never caught a thing anyway and it is the reason the 020 thing keeps showing up. I uninstalled in on the 18th and the scan shows it's not there but I reinstalled and there it is again. Properties said it was Spycatcher but I wanted to check for myself. I did install Zonealarm ( first day there were 515 alerts but it's way down now) a couple of nights ago for the firewall and am trying the trial version of the virus ware. I've got about 12 more days on it but doubt I'll keep the virus ware, I really like Avast. Jean, I've now tried over a dozen times, following your instructions from that page and using IE but I flat out can't get Panda to run for me or leave any kind of log, it just starts to run for a few minutes then closes all my windows and nothing else happens. I really have tried, turned off all the prgms that even might interfere with it and still nothing, I've never had a problem getting something to run like I have with this. RogueRemover said congratulations, it had found nothing there and here are the other two scans, both done in safemode just to be sure. It seems like there's something else but I'm too tired to think right now. No, think I've got it all, might be my typing as I'm too tired to see it. lol And on that note I'm going to get the logs in here and get to bed. Oh, you said EEEEKK!! again! lol Nite, Ryan~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:48:23 AM, on 11/23/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: Safe modeRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\explorer.exeC:\Documents and Settings\Kat\My Documents\Hi Jack This all\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stopzilla.com/director/?type=AP...&topic=5055R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dllO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silentO4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exeO4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2O4 - HKLM\..\Run: [spyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminderO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /cO4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostartO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [unHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exeO4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exeO4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exeO8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htmO8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTMO8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTMO8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTMO8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTMO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190430738906O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cabO20 - AppInit_DLLs: secuload.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 5899 bytes Link to post Share on other sites More sharing options...
Ryan Posted November 23, 2007 Author ID:10260 Share Posted November 23, 2007 Part 1 ( and hopefully only 1) of Smitfraud. NO it sent me back again, says it's too long so I'll split it up.SmitFraudFix v2.253Scan done at 4:42:35.14, Fri 11/23/2007Run from C:\Documents and Settings\Kat\My Documents\downloaded\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode Link to post Share on other sites More sharing options...
Ryan Posted November 23, 2007 Author ID:10262 Share Posted November 23, 2007 Part 3, NIGHT JEAN!!!! NO, GUESS IT'S GOOD MORNING. Link to post Share on other sites More sharing options...
JeanInMontana Posted November 23, 2007 ID:10280 Share Posted November 23, 2007 I didn't have any seconds...didn't make it out of the house. Anyway, the HJT log should always be run after any other scans. It give me information on whether the scan has removed the malware. I edited out the Smitfraud, because it is showing your entire hosts file and I don't need to see that. So what I need now is a HJT log ran after the Smitfraud. You don't need to run Smitfraud again just give me a HJT log please. Link to post Share on other sites More sharing options...
Ryan Posted November 24, 2007 Author ID:10298 Share Posted November 24, 2007 HI Jean, I've finally got some good news! I was able to get Panda to scan, I don't know how as I did the same thing I've tried before except I used the IE tab for FF instead of opening a new IE window and trying it, BUT it worked so I'm posting it and then the new HJT scan. We went to my sister's for dinner yesterday but she sent home lots of leftovers, come on over I'm making you a sandwich soon as I'm done here,ok? I found a post where you guys where talking about add ons for FF, found a couple I'm gong to give a shot at, one at a time of course. Jean, thanks for all you do, for me and so many others. Talk with you tomorrow, RyanIncident Status Location Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@toplist[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Kat\My Documents\downloaded\SmitfraudFix\Process.exe Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Kat\My Documents\downloaded\SmitfraudFix\restart.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe Virus:Trj/Rebooter.J Disinfected C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Potentially unwanted tool:Application/SuperFast Not disinfected C:\Program Files\Mozilla Firefox\SmitfraudFix\restart.exe Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:39:28 PM, on 11/23/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\ClocX\ClocX.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Glary Utilities\memdefrag.exeC:\PROGRA~1\INCRED~1\bin\ImApp.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exeC:\Documents and Settings\Kat\My Documents\Hi Jack This all\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stopzilla.com/director/?type=AP...&topic=5055R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dllO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silentO4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exeO4 - HKLM\..\Run: [spyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminderO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /cO4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostartO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [unHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exeO4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exeO4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exeO8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htmO8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTMO8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTMO8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTMO8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTMO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190430738906O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cabO20 - AppInit_DLLs: secuload.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 6329 bytes Link to post Share on other sites More sharing options...
Recommended Posts