Having Problems with ClickSpring.PurityScan, oinadserver.com, Trojan Horse

  1. 10-01-2007  #1
    ambershell35
    ambershell35 is offline Junior Member

    Having Problems with ClickSpring.PurityScan, oinadserver.com, Trojan Horse

    I am having trouble with ClickSpring.PurityScan, Oinadserver.com, Trojan Horse Downloader Generic 2.muz, and Outerinfor popups. I have ran Windows defender and it picked up some and I told it to remove but it is still there. I have ran spybot search and destroy, lavasoft adaware, avg and I am still having problems. I have also ran each of these in safe mode.
    PLEASE HELP! Below is a copy of my hijack this log.

    Logfile of HijackThis v1.99.1
    Scan saved at 3:37:25 PM, on 1/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\W?nSxS\logonui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: (no name) - {FD12E48A-5E16-77EC-17D6-74F2B92040CA} - (no file)
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {03A89EFD-E023-7700-A22D-45F77558EB4C} (ILINCInstall77 Class) - https://lm-learnlinc-4.ilinc.com/download/ilinci77.dll
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by121fd.bay121.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resourc...scbase2213.cab
    O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfvi...iewerSetup.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common...INIBrowser.CAB
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ams-servicessupport.webex.co...rt/ieatgpc.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

  3. 11-01-2007  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    1. Download combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Post that log in your next reply (logfile is located at C:\ComboFix.txt).


    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


    Please provide:

    - a fresh HijackThis log
    - combofix log
    - any currrent revised observations
  4. 11-01-2007  #3
    ambershell35
    ambershell35 is offline Junior Member
    I tried to download combofix and it never brought up a screen that I could download anything. It was a DOS black screen then blue and did nothing. I looked for C:combofix.txt and couldn't find anything to post. Am I doing it wrong? Need Help!
  5. 13-01-2007  #4
    VopThis
    VopThis is offline Senior Member (Canada)
    Looks like your having problems with downloads. You may need to get any required downloads from another PC.


    For now suggest you also try the following:

    Go to Start>Control Panel>Add/Remove Programs and look for PuritySCAN By OIN, OuterInfo, OIN or similar, click on it and click remove.

    If not listed, download and run this uninstaller:
    http://www.outerinfo.com/OiUninstaller.exe

    Tutorial for the uninstaller if needed

    Reboot when done and delete this folder if found:
    C:\Program Files\PurityScan
  6. 15-01-2007  #5
    ambershell35
    ambershell35 is offline Junior Member
    When I try to download and save to my desktop, then my windows defender kicks on and says to delete it and it won't let it install. I do not have any of those folders on my C drive or in add/remove programs.
  7. 16-01-2007  #6
    VopThis
    VopThis is offline Senior Member (Canada)
    my windows defender kicks on and says to delete it and it won't let it install.
    Disable 'windows defender' until you are cleaned up:

    Disable Windows Defender
    • Open Windows Defender
    • Click Tools
    • Click General Settings
    • Scroll down to Real Time Protection Options
    • Uncheck Turn on Real Time Protection (recommended)
    • Close Windows Defender


    Re-run combofix as requested.
  8. 17-01-2007  #7
    ambershell35
    ambershell35 is offline Junior Member
    Thanks, that worked. Below is the report you requested. What is next?


    "ShelleyR" - 07-01-17 8:54:44 Service Pack 2
    ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\ShelleyR\Desktop"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
    d:\command.com
    C:\Program Files\Ipwindows\ipwins.dll
    C:\Program Files\Ipwindows\ipwins.exe
    C:\WINDOWS\system32\cemetrix.dll
    C:\WINDOWS\system32\taskmgr.com
    C:\WINDOWS\system32\unsvchosts.lzma
    C:\WINDOWS\REGEDIT.com
    C:\WINDOWS\Downloaded Program Files\webex
    C:\Program Files\Common Files\{3422D~1
    C:\Program Files\InetGet2
    C:\Program Files\Inetget2
    C:\Program Files\Ipwindows
    C:\Program Files\Outerinfo
    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
    Folders Quarantined:
    C:\qoobox\purity\Program Files\DOBE~1
    C:\qoobox\purity\Program Files\Common Files\WNSXS~1
    C:\qoobox\purity\Program Files\Common Files\WNSXS~1\logonui.exe
    C:\qoobox\purity\Program Files\DOBE~1\regedit.exe
    C:\qoobox\purity\Program Files\DOBE~1\?dobe


    ((((((((((((((((((((((((((((((( Files Created from 2006-12-17 to 2007-01-17 ))))))))))))))))))))))))))))))))))


    2007-01-15 08:39 <DIR> d-------- C:\WINDOWS\LastGood
    2007-01-15 08:39 <DIR> d-------- C:\WINDOWS\ie7updates
    2007-01-10 15:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! Companion
    2007-01-10 15:00 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-01-10 14:59 <DIR> d-------- C:\DOCUME~1\ShelleyR\.housecall6.6
    2007-01-10 14:03 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
    2007-01-10 12:39 <DIR> d-------- C:\Program Files\STOPzilla!
    2007-01-10 12:39 <DIR> d-------- C:\Program Files\Common Files\iS3
    2007-01-10 12:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\ZILLAbar
    2007-01-10 12:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\STOPzilla!
    2007-01-10 10:35 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-01-09 21:21 57,344 --a------ C:\WINDOWS\system32\eihruw.dll
    2007-01-09 21:21 2 --a------ C:\WINDOWS\system32\wnsapiit.exe
    2007-01-03 16:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Trymedia
    2007-01-03 12:20 <DIR> d-------- C:\Program Files\ToGo Game
    2007-01-03 12:14 <DIR> d-------- C:\Program Files\Mystery Case Files - Ravenhearst
    2006-12-21 12:21 <DIR> d-------- C:\DOCUME~1\ShelleyR\Application Data\Canon


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


    2007-01-17 08:34 -------- d-------- C:\Program Files\ams prime
    2007-01-10 15:20 -------- d-------- C:\Program Files\yahoo!
    2006-12-12 14:30 -------- d-------- C:\DOCUME~1\ShelleyR\Application Data\limewire
    2006-12-06 08:58 -------- d-------- C:\Program Files\windows defender
    2006-11-28 13:05 -------- d-------- C:\Program Files\mercury insurance
    2006-11-28 13:05 -------- d-------- C:\Program Files\Common Files\installshield
    2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
    2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
    2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
    2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
    2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
    2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
    2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
    2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
    2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
    2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
    2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
    2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
    2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
    2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
    2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
    2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
    2006-10-24 14:57 73216 --a------ C:\WINDOWS\st6unst.exe
    2006-10-24 14:57 249856 --------- C:\WINDOWS\setup1.exe
    2006-10-24 14:56 25187840 --a------ C:\American Modern Boat.exe
    2006-10-19 07:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
    2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
    2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
    2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
    2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
    2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
    2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
    2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
    2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
    2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
    2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
    2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
    2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
    2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e"
    "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc. exe /STARTUP"
    "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runonce]
    "NetSP - restore database"="\"C:\\Program Files\\Ivans\\Transman\\NetSP.exe\" -show"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runonce\Setup]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
    "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader \\READER~1.EXE "
    "item"="Adobe Reader Speed Launch"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
    "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EX E -b -l"
    "item"="Microsoft Office"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Picture Package Menu.lnk"
    "backup"="C:\\WINDOWS\\pss\\Picture Package Menu.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\SONYCO~1\\PICTUR~1\\PICTU R~3\\SonyTray.exe "
    "item"="Picture Package Menu"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Picture Package VCD Maker.lnk"
    "backup"="C:\\WINDOWS\\pss\\Picture Package VCD Maker.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\SONYCO~1\\PICTUR~1\\PICTU R~1\\RESIDE~1.EXE -h"
    "item"="Picture Package VCD Maker"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SBC Self Support Tool.lnk"
    "backup"="C:\\WINDOWS\\pss\\SBC Self Support Tool.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\SBCSEL~1\\bin\\matcli .exe -boot"
    "item"="SBC Self Support Tool"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ShelleyR^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    "path"="C:\\Documents and Settings\\ShelleyR\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk"
    "backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
    "location"="Startup"
    "command"="C:\\PROGRA~1\\LimeWire\\LimeWire.ex e -startup"
    "item"="LimeWire On Startup"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
    "item"="khost"
    "hkey"="HKCU"
    "command"="C:\\WINDOWS\\kdx\\khost.exe -all"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
    "item"="WkUFind"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
    "item"="NEWDOT~2"
    "hkey"="HKLM"
    "command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
    "item"="realsched"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
    "item"="YahooMessenger"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0




    ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    backup-20070110-151717-519
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    backup-20070110-151713-947
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    backup-20070110-151713-229
    O2 - BHO: (no name) - {FD12E48A-5E16-77EC-17D6-74F2B92040CA} - C:\WINDOWS\system32\eihruw.dll
    backup-20070110-151713-558
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    backup-20060927-134319-823
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    backup-20060731-121819-139
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    backup-20060628-090059-399
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    backup-20060516-162816-510
    R3 - URLSearchHook: (no name) - <default> - (no file)
    backup-20060516-162816-685
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    backup-20060516-162816-468
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    backup-20060516-162816-457
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    backup-20060516-162816-290
    O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
    backup-20051227-092446-842
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    backup-20051227-092446-884
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe
    backup-20051220-090449-305
    R3 - URLSearchHook: (no name) - <default> - (no file)
    backup-20051219-135821-432
    O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins008.exe
    backup-20051219-135821-832
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab

    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\MP Scheduled Scan.job

    Completion time: 07-01-17 8:59:05
  9. 20-01-2007  #8
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    Your stated issues may have been completely fixed by combofix. Let us know if you have any other or continuing issues that need to be addressed.



    Meanwhile, please run the following scan as a further check for issues:


    We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.




    Download and install AVG Anti-Spyware 7.5 (AVG AS - formally known as Ewido anti-spyware 4.0 - uninstall any previous version first).
    • Click the Download BUTTON. On the next page click the Download now BUTTON.
    • Save and then install (Run) from the save location.
    • Open/Run AVG Anti-Spyware
    • Wait a few moments and AVG Anti-Spyware should Auto update itself (note date of last update). If it doesn't update, click the update ICON at top of screen:

    • Click on the Update now LINK at the top of the window
      • Click on the Start update button
      • Wait for the update to download and install
  10. This is very important to get the LATEST updates.
  11. Click on the Status ICON
    • Under "Your computers Security"
      Click change status on Resident shield to inactive (ONLY consider activation of that feature once you are clean)
  12. Click on the Scanner ICON at the top of the window
  13. Click on the Settings tab then select Recommended Actions and choose Quarantine
  14. When updating has finished. Close AVG Anti-Spyware.



    15. We will be using this tool in a later step.




    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    ______________________________


    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware , and run a full scan:
    • Click on the default Status ICON and select the Scan now LINK.

      OR

    • Click on the Scanner ICON . Select the Scan TAB.

      • Select Complete System Scan. AVG Anti-Spyware will now begin to scan your system.

    • If AVG Anti-Spyware finds anything it will list them in the Preview WINDOW:
      • Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
      • Select Apply all actions at the bottom of the window (and the items found will be quarantined – and recoverable, if any items are needed back).

    • When the scan has completed, click on the Save Scan Report button and save the scan to your Desktop where it can be easily found.
    • Copy and paste the AVG Anti-Spyware scan results into your next post.
    • Close AVG Anti-Spyware.


    REBOOT and Post your latest HijackThis log. And, let us know how your PC is now behaving – any changes in behavior.
+ Reply to Thread
« help with norton anti virus | virus and antivirus problem..help!! »

Similar Threads