[slime]

Hi all, and happy new year.
I have been invaded by a virus I think.
Problem is I can't run any anti-virus, can't use Firefox & can't use Windows Update.
This computer is networked with three others and is the host, so re-booting can be a problem.
Also, whenever I click on links, nothing happens, I have to copy & paste.
Please help if possible, you've helped me before which is why I'm using this site.
It all started Tues 2nd Jan,
Slime.

P.S. This is my HJT log,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:12, on 02/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\diaries\lotus organiser 6\organize\easyclip6.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Mark\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O15 - Trusted Zone: http://download.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0737344F-6C02-4327-BCC5-C875D83CE9A1}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0737344F-6C02-4327-BCC5-C875D83CE9A1}: NameServer = 192.168.0.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

--
End of file - 6779 bytes

If of any use : 24 hours later & the machine has slowed considerably.
It took 20 mins to open my progs this morning, it normally takes less than 2 mins!!!

In anticipation,
Slime.

Just updating as things change/happen.
4.15pm day two.
Getting warning messages generated by 'MalwareAlarm'.
" NOTICE : If your computer has been running slow it maybe infected by Viruses, Adware or Spyware. MalwareAlarm can perform FREE scan for malicious programs. Download MalwareAlarm for FREE now".
Options are O.K. or CANCEL. I hit the 'X' in top right corner.
Also get the following window popping up saying :
"MalwareAlarm online scanner found :
Backdoor : Win32/NTRoot
Backdoor : Win32/Sivuxa
Trojan.Caiijing "
Again, I hit the 'X' in top right corner.

I hope this helps those whom I hope will help me,
many thanks.
Slime.

[simon1990]

loooks like a nasty trojan virus mate, can you get hold of Xoftspy? great programme, run up in safe mode if posible and then try again.

let me know via PM.

[simon1990]

loooks like a nasty trojan virus mate, can you get hold of Xoftspy? great programme, run up in safe mode if posible and then try again.

let me know via PM.

sorry if this is no help bud, ive had a silmular problem.

but if this is your main pc then no hope in wiping the HDD

[slime]

Originally Posted by simon1990 loooks like a nasty trojan virus mate.

Hi simon1990.
Did you come to this conclusion from reading the post, or from the HJT log?
Have you experienced the same symptoms yourself?
Thanks for your concern,
Slime.

[evilfantasy]

Originally Posted by simon1990 loooks like a nasty trojan virus mate, can you get hold of Xoftspy? great programme, run up in safe mode if posible and then try again. let me know via PM.

Simon stop recommending Xoftspy to everyone.


We have a regular set of removal instructions located HERE

I will check out the log and be back with instructions shortly.

[evilfantasy]

I don't see the MalwareAlarm.exe in the HijackThis log or any other malware.

Go HERE and run the SUPERAntiSpyware scan and post that log please.

[slime]

Hi evilfantasy,
thanks for your time.
Have done as requested & here is the log,

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/08/2008 at 12:34 PM
Application Version : 3.9.1008
Core Rules Database Version : 3259
Trace Rules Database Version: 1270
Scan type : Complete Scan
Total Scan Time : 00:33:49
Memory items scanned : 400
Memory threats detected : 1
Registry items scanned : 6302
Registry threats detected : 12
File items scanned : 23314
File threats detected : 60
Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\GEEBX.DLL
C:\WINDOWS\SYSTEM32\GEEBX.DLL
Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTQPMN.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{E5DA7937-02E3-4CBF-B0F5-9B3B5D803E4F}
HKCR\CLSID\{E5DA7937-02E3-4CBF-B0F5-9B3B5D803E4F}
HKCR\CLSID\{E5DA7937-02E3-4CBF-B0F5-9B3B5D803E4F}\InprocServer32
HKCR\CLSID\{E5DA7937-02E3-4CBF-B0F5-9B3B5D803E4F}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{E5DA7937-02E3-4CBF-B0F5-9B3B5D803E4F}
Adware.Tracking Cookie
C:\Documents and Settings\Mark\Cookies\mark@83.142.230[2].txt
C:\Documents and Settings\Mark\Cookies\mark@a.www.gametracker[2].txt
C:\Documents and Settings\Mark\Cookies\mark@www.gamestracker[2].txt
C:\Documents and Settings\Mark\Cookies\mark@image.masterstats[1].txt
C:\Documents and Settings\Mark\Cookies\mark@burstnet[2].txt
C:\Documents and Settings\Mark\Cookies\mark@doubleclick[2].txt
C:\Documents and Settings\Mark\Cookies\mark@a[2].txt
C:\Documents and Settings\Mark\Cookies\mark@tribalfusion[1].txt
C:\Documents and Settings\Mark\Cookies\mark@gametracker[2].txt
C:\Documents and Settings\Mark\Cookies\mark@bizadverts[3].txt
C:\Documents and Settings\Mark\Cookies\mark@xiti[1].txt
C:\Documents and Settings\Mark\Cookies\mark@cgi-bin[1].txt
C:\Documents and Settings\Mark\Cookies\mark@mediaplex[2].txt
C:\Documents and Settings\Mark\Cookies\mark@search[1].txt
C:\Documents and Settings\Mark\Cookies\mark@blowtorch[1].txt
C:\Documents and Settings\Mark\Cookies\mark@top_players[1].txt
C:\Documents and Settings\Mark\Cookies\mark@ehg-bbcworldwide.hitbox[1].txt
C:\Documents and Settings\Mark\Cookies\mark@www.sussexcarz[2].txt
C:\Documents and Settings\Mark\Cookies\mark@www.burstnet[1].txt
C:\Documents and Settings\Mark\Cookies\mark@hitbox[3].txt
C:\Documents and Settings\Mark\Cookies\mark@atdmt[2].txt
C:\Documents and Settings\Mark\Cookies\mark@sussexcarz[1].txt
C:\Documents and Settings\Mark\Cookies\mark@112.2o7[1].txt
C:\Documents and Settings\Mark\Cookies\mark@122.2o7[2].txt
C:\Documents and Settings\Mark\Cookies\mark@2o7[1].txt
C:\Documents and Settings\Mark\Cookies\mark@ad.yieldmanager[1].txt
C:\Documents and Settings\Mark\Cookies\mark@ad1.emediate[1].txt
C:\Documents and Settings\Mark\Cookies\mark@adopt.euroclick[1].txt
C:\Documents and Settings\Mark\Cookies\mark@adopt.specificclick[2].txt
C:\Documents and Settings\Mark\Cookies\mark@adrevolver[3].txt
C:\Documents and Settings\Mark\Cookies\mark@ads.addynamix[2].txt
C:\Documents and Settings\Mark\Cookies\mark@ads.greatoutdoors[1].txt
C:\Documents and Settings\Mark\Cookies\mark@ads.pointroll[1].txt
C:\Documents and Settings\Mark\Cookies\mark@advertising[2].txt
C:\Documents and Settings\Mark\Cookies\mark@anad.tacoda[2].txt
C:\Documents and Settings\Mark\Cookies\mark@anat.tacoda[1].txt
C:\Documents and Settings\Mark\Cookies\mark@bizadverts[1].txt
C:\Documents and Settings\Mark\Cookies\mark@counter.hitslink[1].txt
C:\Documents and Settings\Mark\Cookies\mark@dealtime.co[1].txt
C:\Documents and Settings\Mark\Cookies\mark@doubleclick[1].txt
C:\Documents and Settings\Mark\Cookies\mark@ehg-autotrader.hitbox[1].txt
C:\Documents and Settings\Mark\Cookies\mark@ehg-bbcworldwide.hitbox[2].txt
C:\Documents and Settings\Mark\Cookies\mark@fastclick[2].txt
C:\Documents and Settings\Mark\Cookies\mark@hitbox[1].txt
C:\Documents and Settings\Mark\Cookies\mark@indexstats[2].txt
C:\Documents and Settings\Mark\Cookies\mark@media.adrevolver[1].txt
C:\Documents and Settings\Mark\Cookies\mark@mediaplex[1].txt
C:\Documents and Settings\Mark\Cookies\mark@partypoker[2].txt
C:\Documents and Settings\Mark\Cookies\mark@questionmarket[1].txt
C:\Documents and Settings\Mark\Cookies\mark@revenue[1].txt
C:\Documents and Settings\Mark\Cookies\mark@server.iad.liveperson[1].txt
C:\Documents and Settings\Mark\Cookies\mark@serving-sys[2].txt
C:\Documents and Settings\Mark\Cookies\mark@specificclick[1].txt
C:\Documents and Settings\Mark\Cookies\mark@statcounter[2].txt
C:\Documents and Settings\Mark\Cookies\mark@statse.webtrendslive[2].txt
C:\Documents and Settings\Mark\Cookies\mark@tracking.dc-storm[1].txt
C:\Documents and Settings\Mark\Cookies\mark@tribalfusion[2].txt
C:\Documents and Settings\Mark\Cookies\mark@webstats.thefa[1].txt

Also did an HJT log after re-boot. Results as follows,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:25, on 08/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\diaries\lotus organiser 6\organize\easyclip6.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Mark\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O15 - Trusted Zone: http://download.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0737344F-6C02-4327-BCC5-C875D83CE9A1}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0737344F-6C02-4327-BCC5-C875D83CE9A1}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtqpmn - awtqpmn.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
--
End of file - 7157 bytes

Hope this helps,
Slime.

P.S. I've noticed at the bottom of every web page, including this one, a message that says
"Done, but with errors on page". Any ideas?
Slime.

[slime]

Hi,
don't know the relevance of this, but, I cannot open any PDF files with Adobe, still can't connect to Firefox & although I removed Norton Antivirus from my machine a long time ago, there are still some files I can't delete. I do have Symantec Winfax Pro however. How do I get rid of the old Norton scraps without affecting Winfax, or is that a different problem altogether.
Sorry if this is irrelevant but I assume the more info you have, the better.
Again, many thanks,
Slime.

[evilfantasy]

I don't think removing Norton/Symantec wil have any effect on the WinFax. You can use the Norton Removal Tool to get rid of all of the Norton leftovers.


Open HijackThis and select Do a system scan only then place a check mark next to:

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O20 - Winlogon Notify: awtqpmn - awtqpmn.dll (file missing)

Close all windows except for HijackThis and click Fix checked

---------------

Please download CCleaner

• Double click on the ccsetup.exe file to start the installation of the program.
• Select your language and click OK, then next.
• Read the license agreement and click I Agree.
• Click next to use the default install location.
• Under Install Options, choose all the default settings
• Click Install then finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
• On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
• If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
• Click on the "Options" icon at the left side of the window, then click on "Advanced."
  deselect "Only delete files in Windows Temp folders older than 48 hours."
• Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
• Caution: Only use the "Registry" feature if you are very familiar with the registry as it has been known to find legitimate items.
• Always back up your registry before making any changes.
• After CCleaner has completed its process, click Exit.

---------------

Using Internet Explorer go to the ESET Nod32 Online Scanner

• Disable your antivirus program while running this scan.

• Check the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
  • The scanner engine will initialise and update
• Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
• Click Scan
  • The scan will now run, please be patient
• When the scan finishes click the Details tab
  • The log is located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and then paste the EsetOnlineScanner log log into your post.

---------------

Next post please add
ESET scan log
New HijackThis log

[slime]

Thanks evilfantasy,
I've done as asked & computer seems to be quicker now.

Here are the new logs,


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:49, on 09/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\diaries\lotus organiser 6\organize\easyclip6.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mark\Desktop\System clean-up stuff 2008\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0737344F-6C02-4327-BCC5-C875D83CE9A1}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0737344F-6C02-4327-BCC5-C875D83CE9A1}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
--
End of file - 7321 bytes


and,

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2776 (20080109)
# vers_arch_module=1.060 (20071228)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=6beb9a54adbeb940bac68816fa63664f
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-01-09 09:55:37
# local_time=2008-01-09 09:55:37 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=222633
# found=0
# scan_time=1405



any thanks,
Slime.