TechSpot

Abebot, trojans, need help

By wannabee
Apr 2, 2008
Topic Status:
Not open for further replies.
  1. Good morning all. I have just kidnapped a very sick Dell desktop dimension 2400 from a friend of mine who could no longer get it to boot, and who last remembers seeing an abebot error when running mcafee virus scan, only to have her system completely "crap out" on her within a few hours. I have uninstalled mcafee, installed and updated norton internet security and scanned with no errors found. I installed and ran adaware 2007, which found 4 critical errors with a TAI of 4-10 and removed them, and installed Avast antivirus as well, only thing is I am still having concerns with no longer being able to run avast (error states Avast: the AVVM system detects an RPC error) and when I ran zone alarm it stated that although I have a pretty yellow bar in my taskbar, with a green checkmark for norton, the zone alarm program doesn't show me running it on this machne, and i can't turn it on from their dashboard. When I open norton it shows i am up to date with virus definitions and all green check marks. Spybot is continually popping up requests to change browser settings, trying to add a hex:value (series of numbers after hex: that vary from time to time, all separated by commas. When the computer starts up, I get a dialog box with red x that states the computer cannot find file www . privacy_center......htm Also, I encounter an issue when I open the web browser that no matter what I change the home page address to, it defaults back to www . softwarereferral . com/ home page (which doesn't load at all)

    I am attaching the latest hjt file, for your review, this was NOT done post adaware restart, but after adaware scan.

    The first avast scan of the registry (took about 4 hours to scan entire startup process, found 7 trojan entries, one of which is affecting a program file in her comcast provider directory. I personally have the computer on my verizon fios line here.

    Any help would be appreciated. I am trying to get this back to her asap and if you have any advice on how she can prevent her kids from slipping and clicking on bad popups, i'm sure she'd appreciate it.

    Sorry for the ramble...its now 2am and i've been at this for a while.

    all windows updates have been done. System is windows xp running ie 7 (although I am thinking of installing mozilla while its visiting)
  2. kritius

    kritius TS Guru Posts: 2,087

    This is a very sick pc, you may have made it worse by running 2 AV systems,

    Follow these steps in this order.

    The first thing that I need you to do for me is completely unistall Norton if you have not done so already

    Disable Teatimer
    Please disable Teatimer as it may interfere with the fix.
    First:
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.
    Once your log is clean you can re-enable those settings in TeaTimer.

    Copy and paste ALL the following text in the code box below into Notepad.
    Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
    Then double click on the fix.reg file on your desktop [​IMG]and agree to merge the

    information into the registry,then restart your pc.
    Code:
    REGEDIT4
    [-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    
    DELDOMAINS

    Download Deldomains.
    • Save it to your desktop.
    • Right-click DelDomains.inf and select: Install (no need to restart)
    • You may not see any noticeable changes or prompts; this is normal.
    Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally attach the Report.txt back on the forum

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please attach the contents of C:\vundofix.txt
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Please Download VirtumundoBeGone by secured2k
    • Save the file to your desktop
    • Close all running programs (including your Internet Browser)
    • Double-click VirtumundoBeGone.exe on the desktop
    • Read the introductory information, and then click Continue
    • Click Start
    • When asked if you want to continue, click Yes to run the fix
    • Click "Save Log"

    Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

    The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

    Empty Recycle Bin.

    Reboot and attach the VBG.TXT into this thread.
    Also please describe how your computer behaves at the moment.

    Please download SmitfraudFix (by S!Ri)

    Double-click SmitfraudFix.exe.
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please attach that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm

    Run a fresh HijackThis scan after completing these steps.
  3. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    Upates to system

    Thank you for getting back to me so quickly. I am almost "done" in the process and noticing a few good things. The errors I saw on startup are gone, and the computer is moving faster, also the software referral start page looks like it might be gone for good. I am attaching report.txt and the new hijackthis log file I just ran, as well as the virtumondo report. the vundo program found notihing so there is no log to attach. Almost clean?

    If yes, what can I suggest to her to not get herself in this predicament again?

    Thanks so much!!!

    Next step is to run smitfraud...i'll keep you updated!! Thanks again
  4. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    one more thing

    swore i wouldn't be one of those "incessant" posters filling you with too many unnecessary details, but thought you shoud know. after running vbg, emptying recycle bin and restarting, still not seeing errors but system seems to be running a bit more sluggish than immediately before i ran vbg. MSN.com was slow to load this time (had been loading rather quickly) and just seems that there is a lag now after running it, even though I didn't encounter the blue screen of death.

    Just restarted one more time, and going to see if i can get the smitfraud page to load this time.

    thanks
  5. kritius

    kritius TS Guru Posts: 2,087

    Leave Smitfraud for now,

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wytpc.dll/sp.html#28129
    O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll (file missing)
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: (no name) - {D8010B5A-E220-B876-B855-D2861F450A0C} - C:\WINDOWS\system32\mfcvj32.dll (file missing)
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C: one.MHT!http://www.t058.com//inst//x.chm::/open.exe
    O21 - SSODL: SetupCheck - {6fe3f75e-1210-4c30-8c77-8bf0e54cb703} - C:\WINDOWS\Installer\{6fe3f75e-1210-4c30-8c77-8bf0e54cb703}\SetupCheck.dll (file missing)
    O21 - SSODL: ChkCD - {36b1477b-8cdb-4aeb-b348-ad04be317673} - C:\WINDOWS\Installer\{36b1477b-8cdb-4aeb-b348-ad04be317673}\ChkCD.dll (file missing)
    O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\nttv.exe (file missing)
    O24 - Desktop Component 0 : Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Check for and Delete Files and Folders
    • Right Click on the start button and chose explore
    • Show all hidden files and folders, see how HERE
    • Navigate to the following files and folders and delete them(if still present)
    C:\Program Files\PC-Antispyware\IeExtension.dll<---------This File
    C:\WINDOWS\system32\mfcvj32.dll<---------This File
    C:\WINDOWS\nttv.exe<---------This File
    C:\WINDOWS\privacy_danger<---------This Folder

    • Empty the recycle bin.
    If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
    ***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    Run HijackThis again and post a fresh log.
  6. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    and so it goes

    ran smitfraud....see attached rapport.txt

    Deleted selected hjt files. Used explorer to find any "straggler" files, and found none.

    Installed newest Java, used add/remove to get rid of 3 old java installations. Used explorer to remove one remaining folder in program files.

    Restarted, reran hijack this, and attached new2 log.

    One side note...in windows folder i see MANY folders/files at top of file list that start with a $....notice some are files that have uninstall in the title....can i simply trash this junk, or is it a sign of something more sinister?
  7. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    and lastly...have I said THANK YOU yet???

    Already noticing BIG changes
  8. carolnewbee

    carolnewbee TS Rookie

    Same Abebot - Trojan downloader. xs problem

    Hi All,
    I've been struggling here all day with these warning messages! I was sure glad to come across this forum and hopefully I can get some help. I'm REALLY green at all this. Hopefully I will figure out how to attach the Hijack file. I'll be working on the rest of the instructions after I post this. Thanks for any help/guidance you can give.
    .
    Carolnewbee
  9. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    and now the drives....

    kritius,

    I just finished posting my thank you and began to collect the picture files on her desktop to one folder, in order to burn them to disk and provide her with a backup for her photos. Major roadblock. The two drives that are operational (they open, the green light flashes when a cd is installed) one is a sony cd-rw crx216e and the other is samsung dvd-rom sd-616E, both factory installed, are not listed in "my computer" and show as not operating in device manager. When I look at the properties in device manager the error reads "Windows cannot start this hardware device because its configuration (in the registry) is incomplete or damaged. (Code 19).

    I have run the troubleshooter, uninstalled, restarted and attempted to reinstall the drives, but no luck. Drives are still not recognized and i have pretty yellow exclamation points next to the name of each within my device manager.

    I really hope they enjoyed whatever popup they clicked on or file they "shared" in order to trash this thing so hard.

    Silver lining.....seems the A: drive is working fine...now if only her pictures were less than a meg and a half, i could copy them one at a time :)

    Might be time to pull out the flash drive....think i have a junk 64mb one lying around here somewhere.

    This situation tied into the same troubles? Any ideas how to get around it?
  10. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    carolnewbee

    you will want to start a new thread so that your problem is picked up on it's own. back out of my posting and click on the post (start) new thread button near the top of the thread listings

    Good luck!!!
  11. carolnewbee

    carolnewbee TS Rookie

    Done! thanks so much!
    Carolnewbee
     
  12. kritius

    kritius TS Guru Posts: 2,087

    Lets get this all clean first and then we'll worry about other issues, they may have been resolved at the end, I will also post instructions on keeping safe and stuff at the end.

    Boot into safe mode,

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\nttv.exe (file missing)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Then, (if this bit doesnt work then dont worry)

    HOW TO DELETE AN NT SERVICE USING HJT

    Open HijackThis and click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens you should then enter the service name and press OK.

    O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\nttv.exe (file missing)

    Close HijackThis.

    Show all hidden files and folders,

    Find and Delete Suspect File
    Using Start > Search > All Files and Folders
    Click Advanced Options and make sure the following are ticked Search system folders, Search hidden files and folders, Search subfolders
    Enter nttv.exe in the 'All or part of file name' box
    Select C: in the 'Look in' dropdown box
    Click Search Now
    Right-click on nttv.exe and select Delete
    Repeat for each copy of the file
    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


    Still in safe mode,

    Please download SmitfraudFix (by S!Ri)

    Double-click SmitfraudFix.exe.
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm

    Reboot into normal mode,

    Create an uninstall list
    • Launch Hijackthis
    • Click the Open the Misc Tools section button
    • Click the Open Uninstall Manager button.
    • Click the Save list button.
    • Attach this log in your next reply

    Download and Run ComboFix
    Before you download the newest version of ComboFix please make sure there's no older version of ComboFix on your desktop! If there is one, please delete it.

    Download Combofix from any of the links below, and save it to your desktop:
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    http://www.forospyware.com/sUBs/ComboFix.exe
    http://subs.geekstogo.com/ComboFix.exe

    For information regarding this download, please visit this webpage:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Note: It is important that it is saved directly to your desktop!

    Now close any open browsers. Also close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts. Do not mouseclick combofix's window while it's running. That may cause it to stall.

    When finished, it will produce a report for you. This report will also be saved in C:\ComboFix.txt attach that report along with a fresh HJT log.

    So thats,
    1)Smitfraud report,
    2)HJT unistall list
    3)Combofix scan
    4)Fresh HijackThis log
  13. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    Gotcha

    Got your post, sorry for the delay, had to work all day and just got home. Searching for nttv.exe and nothing is found, hjt wouldn't let me remove the 023 entry by "fixing" or through config.

    Working on smitfraud now, using my laptop to communicate while the sick pc does it's thing without ethernet cable attached. Hopefully with the time difference I have you here long enough to get you the results :)

    Thanks
  14. kritius

    kritius TS Guru Posts: 2,087

    Ill have to look over them tommorow, the combofix one is the imortant one though, its the big guns for getting rid of this.
  15. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    Reports 4/3 9pm

    Here we go.

    Smitfraud report (cut and paste)

    Note: when program first started running, i saw an error reading swg.exe is not a valid file type...doesn't look like that part of the program worked...but at this point who knows...

    SmitFraudFix v2.309

    Scan done at 19:49:55.79, Thu 04/03/2008
    Run from C:\Documents and Settings\Christine\My Documents\Fixes\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christine


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christine\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CHRIST~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CS1\Services\Tcpip\..\{A6B8E890-E6C7-44F5-85B9-568BB5C46D38}: DhcpNameServer=68.87.71.226 68.87.73.242
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{A6B8E890-E6C7-44F5-85B9-568BB5C46D38}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End




    Ran HJT and created saved an uninstall list (might be worth knowing that this computer is hard-wired to the internet here at my home, and has never had any kind of wireless modem attached, so the wireless entry jumped out at me...only thing wireless near this thing is my backup/junky laptop across the room)

    3D Groove Playback Engine
    Ad-Aware 2007
    Adobe Flash Player 9 ActiveX
    Adobe Flash Player ActiveX
    Adobe Reader 7.0.7
    AIM 6
    AT&T WorldNet Setup
    avast! Antivirus
    BCM V.92 56K Modem
    Broadcom Management Programs
    CCScore
    Comcast High-Speed Internet Install Wizard
    CR2
    DelDomains TRIAL VERSION
    Dell Digital Jukebox Driver
    Dell Solution Center
    DellSupport
    Desktop Doctor
    DS21Patch
    DVDSentry
    EPSON Scan
    ESSBrwr
    ESSCDBK
    ESScore
    ESSCT
    ESSEMAIL
    ESSgui
    ESShelp
    ESSini
    ESSPCD
    ESSSONIC
    ESSTOOLS
    essvatgt
    essvcpt
    ESSvpaht
    ESSvpot
    Google Toolbar for Internet Explorer
    Harry Potter II
    HijackThis 2.0.2
    HLPIndex
    HLPSFO
    Hotfix for Windows XP (KB915865)
    hp deskjet 950c series
    hp deskjet 950c series (Remove only)
    Intel(R) Extreme Graphics Driver
    Internet Explorer Default Page
    Jasc Paint Shop Photo Album
    Jasc Paint Shop Pro 8 Dell Edition
    Java(TM) 6 Update 5
    JumpStart Kindergarten v2.4b
    JumpStart Preschool
    Kodak EasyShare printer dock
    Kodak EasyShare software
    KSU
    Learn2 Player (Uninstall Only)
    Learning Games Desktop Icon Installer
    Macromedia Shockwave Player
    Madeline Thinking Games
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0 Service Pack 1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Basic Edition 2003
    Microsoft Visual C++ 2005 Redistributable
    Modem Helper
    MSXML 4.0 SP2 (KB936181)
    Notifier
    OfotoXMI
    OptiPix Pro
    OTtBP
    OTtBPSDK
    PowerDVD
    PrintMaster Gold 4.00
    QuickTime
    QuickTime 3.0
    RealOne Player
    Rhapsody Player Engine
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 8 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB946026)
    SFR
    SFR2
    SHASTA
    SKIN0001
    SKINXSDK
    Sonic DLA
    Sonic RecordNow!
    Sonic Update Manager
    Spellbound!
    Spybot - Search & Destroy
    The Cat in the Hat
    The Treasure on Bing-Bong Island
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Viewpoint Media Player
    Virtools 3D Life Player
    VPRINTOL
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Media Format Runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Service Pack 2
    WIRELESS
    ZoneAlarm
    ZoneAlarm Spy Blocker



    Attached combo fix log and fresh hjt scan
  16. kritius

    kritius TS Guru Posts: 2,087

    Hi,

    Just to let you know I havent forgotten about you and im writing a fix out now which ill post later.
  17. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    No problem...it's been a hell of a week in retail land and I had a blast enjoying life NOT behind a sick computer....i'll be on my time, all day sunday....hope you had a great and relaxing weekend!
  18. kritius

    kritius TS Guru Posts: 2,087

    can you run a fresh combofix for me please?
  19. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    new combofix

    attached combofix and fresh hjt logs
  20. kritius

    kritius TS Guru Posts: 2,087

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\nttv.exe (file missing)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  21. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    Sunday scans

    Attached


    Malware bytes log (16 infections found and removed...scanned again and nothing found)

    HJT log post malwarebytes scan

    Still not finding "nttv.exe" in searching c drive and not able to "fix" that entry in hijack this

    Desktop ini file that showed up on my desktop sometime during the malware scan. Not sure if I can just dump it, at this point, I don't want to risk pushing us backwards without checking with you.

    I know that you like to hear how computer is performing during this process...just thought I'd let you know that for the first time I am encountering zonealarm popups stating that windows32... is trying to obtain server access. This error never happened before...must be from clearing out the trusted sites? I take it as a good sign that i am allowed to block them

    As I type this....zone alarm just let me know that it protected me from local network access against my computer. I'll just keep blocking first, until I know I can trust it.
  22. kritius

    kritius TS Guru Posts: 2,087

    Ill have to look into this one, ill get back to you soon.
  23. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    Thanks again...good luck
  24. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    Is it a bad sign that we haven't touched base in a couple days? (kidding)

    We're a little slow here this morning, took a while when I tried to start it up, and when I moved to hotmail to check for new post alerts, I noticed a security warning telling me I was about to leave a secure connection. Brain is sleepy, so I could be wrong but I don't remember seeing that on other systems when I check my "junk" account.

    Just keeping you in the loop, take your time, I have tons of free time to tinker this week. (sigh)
  25. kritius

    kritius TS Guru Posts: 2,087

    Sorry about that, its been pretty busy here and in work, i just need to check some things out and I should hopefully reply tonight.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.