Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Antispyware popups!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Antispyware popups!

Unread postby skicb » November 19th, 2006, 8:46 pm

Whenever I use IE I am flooded with antispyware popups and redirected to a site to download antispyware software. Ran adaware and Spybot to no effect. It doesn't happen with firefox. Please review HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:41:42 PM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\{00006D4D-0A6A-1033-0106-050818040001}\Update.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvtax.dll,startup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks for your help!
skicb
Regular Member
 
Posts: 57
Joined: April 25th, 2005, 11:03 pm
Advertisement
Register to Remove

Unread postby skicb » November 19th, 2006, 11:27 pm

Unfortunately the ads are for winantispyware!
skicb
Regular Member
 
Posts: 57
Joined: April 25th, 2005, 11:03 pm

Unread postby Trogan » November 20th, 2006, 8:54 am

Hi skicb! :)

You appear not to be using an Anti-virus or Firewall. Please download one of each from the list below - They are Free!

Firewall
Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall

Anti-virus
AVG Free Edition << I recommend this
AntiVir
avast! 4 Home Edition
_________________________________

Lets carry on:

  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.

The infection you have is hiding from HijackThis, therefore we need to rename it in order to make the infection visible. You can rename HijackThis by doing the following:

Locate the file in ORANGE

C:\HijackThis\HijackThis.exe

Right-click on HijackThis.exe and select Rename. Rename the file to Scanner.

Create a new log and post it back here, along with the Uninstall list please.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby skicb » November 20th, 2006, 9:17 pm

Trogan_1000, thank you for your help with my problem. Requested info:

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:10:51 PM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{00006D4D-0A6A-1033-0106-050818040001}\Update.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\HijackThis\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {00EB110D-5E8E-4D70-9AA4-6E91BB57F1A3} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07535D90-164F-0432-F98E-0AAAC88D266F} - C:\WINDOWS\system32\tcdenj.dll
O2 - BHO: (no name) - {0F049168-504A-C193-0DF2-079B217A8CE9} - C:\WINDOWS\system32\bgnhove.dll
O2 - BHO: (no name) - {18DB85FD-A93B-B90C-C753-016BF42A3EEA} - C:\WINDOWS\system32\bkracun.dll
O2 - BHO: (no name) - {2BC144DF-8FC7-453F-AE9A-CBF6B3EFE2A2} - C:\WINDOWS\system32\mllmk.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {AF99759F-A96C-DDBD-7000-CC891F2833C2} - C:\WINDOWS\system32\suikfybh.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\fishcwke.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: mllmk - C:\WINDOWS\system32\mllmk.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winlvv32 - C:\WINDOWS\SYSTEM32\winlvv32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


and:

uninstall_list:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Alive Video Converter (version 2.6.8.0)
AOL Instant Messenger
Apple Software Update
AVG Free Edition
Broadcom 802.11 Driver
Conexant 56K ACLink Modem
Conexant AC-Link Audio
Disc2Phone
Display Utility
DivX
DivX Player
Guild Wars
Half-Life(R) 2
HijackThis 1.99.1
Hotfix for MDAC 2.80 (KB911562)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP Deskjet printer preloaded drivers
HP Image Zone 4.2
HP Photo and Imaging 2.0 - Photosmart Cameras
HP PSC & OfficeJet 4.2
HP Software Update
HPImageZone
Indeo® Software
InterActual Player
Internet Explorer 7 Beta 2 Preview
Internet Explorer Q903235
InterVideo WinDVD
InterVideo WinDVD Creator
iPod for Windows 2005-09-23
iTunes
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Memories Disc Creator 2.0
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Works 7.0
Morpheus 5.2 (remove only)
Morpheus Toolbar
Mozilla Firefox (1.5.0.8)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
muvee autoProducer DVD Edition - HPH
NVIDIA Drivers
NVIDIA Windows 2000/XP Display Drivers
Photosmart 140,240,7200,7600,7700,7900 Series
Quick Launch Buttons 4.10 C2
Quicken 2003 New User Edition
QuickTime
Razer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Sony Ericsson PC Suite 1.10.21
Spybot - Search & Destroy 1.4
Steam(TM)
Synaptics Pointing Device Driver
TeamSpeak 2 RC2
TeamSpeak 2 Server RC2
Theme Manager
Update for Windows XP (KB904942)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Defender
Windows Defender Signatures
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
ZoneAlarm

Looking forward to hearing back from you!
skicb
Regular Member
 
Posts: 57
Joined: April 25th, 2005, 11:03 pm

Unread postby Trogan » November 20th, 2006, 11:13 pm

Hi again skicb!

Before we begin, I would like you to have some files scanned please:
  • Go to VirusTotal
  • Copy and paste the following file path into the Search Box at the top of the page:
  • C:\WINDOWS\system32\tcdenj.dll
  • Click on the Send button
  • Save a copy of the results please
Do the same for these files:

C:\WINDOWS\system32\bgnhove.dll
C:\WINDOWS\system32\bkracun.dll
C:\WINDOWS\system32\suikfybh.dll


Please post the results back here first and then carry on with the following....


Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)

_____________________________________

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt when requested in your next post.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot

_____________________________________

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!
_____________________________________

Please post the following:

1) Contents of C:\vundofix.txt
2) Contents of C:\rapport.txt
3) New HijackThis log

Also, do you recognise this program?
Display Utility
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby skicb » November 20th, 2006, 11:46 pm

Will run software tomorrow evening (EST USA)--too late tonight.

Display utility--This laptop computer that is infected belongs to my son. It is hooked up to 2 monitors. Is it possible that the utility runs 2 monitors? I will ask son tomorrow what he thinks but doubt he knows. Then again when you're 14 you know everything!

Cheers, and thanks!


:)
skicb
Regular Member
 
Posts: 57
Joined: April 25th, 2005, 11:03 pm

Unread postby skicb » November 21st, 2006, 7:17 pm

Okay, hello Trogan_1000.

Display Utility is unknown and suspicious!

VirusTotal results:

Complete scanning result of "tcdenj.dll_", received in VirusTotal at 11.21.2006, 23:44:21 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.44 11.21.2006 TR/Vundo.Gen
Authentium 4.93.8 11.20.2006 Possibly a new variant of W32/Bongler-based
Avast 4.7.892.0 11.20.2006 no virus found
AVG 386 11.20.2006 no virus found
BitDefender 7.2 11.21.2006 no virus found
CAT-QuickHeal 8.00 11.21.2006 no virus found
ClamAV devel-20060426 11.21.2006 no virus found
DrWeb 4.33 11.21.2006 no virus found
eSafe 7.0.14.0 11.20.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.62 11.21.2006 no virus found
eTrust-Vet 30.3.3205 11.21.2006 no virus found
Ewido 4.0 11.21.2006 no virus found
Fortinet 2.82.0.0 11.21.2006 suspicious
F-Prot 3.16f 11.20.2006 Possibly a new variant of W32/Bongler-based
F-Prot4 4.2.1.29 11.20.2006 W32/Bongler-based
Ikarus 0.2.65.0 11.21.2006 no virus found
Kaspersky 4.0.2.24 11.21.2006 no virus found
McAfee 4901 11.21.2006 no virus found
Microsoft 1.1804 11.21.2006 no virus found
NOD32v2 1876 11.21.2006 a variant of Win32/TrojanDownloader.Busky.AZ
Norman 5.80.02 11.21.2006 no virus found
Panda 9.0.0.4 11.21.2006 no virus found
Prevx1 V2 11.21.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.122 11.21.2006 no virus found
UNA 1.83 11.21.2006 no virus found
VBA32 3.11.1 11.21.2006 no virus found
VirusBuster 4.3.15:9 11.21.2006 no virus found

Complete scanning result of "bgnhove.dll_", received in VirusTotal at 11.21.2006, 23:53:07 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.44 11.21.2006 TR/Vundo.Gen
Authentium 4.93.8 11.20.2006 Possibly a new variant of W32/Bongler-based
Avast 4.7.892.0 11.20.2006 no virus found
AVG 386 11.20.2006 no virus found
BitDefender 7.2 11.21.2006 no virus found
CAT-QuickHeal 8.00 11.21.2006 no virus found
ClamAV devel-20060426 11.21.2006 no virus found
DrWeb 4.33 11.21.2006 Trojan.DownLoader.based
eSafe 7.0.14.0 11.20.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.62 11.21.2006 no virus found
eTrust-Vet 30.3.3205 11.21.2006 no virus found
Ewido 4.0 11.21.2006 no virus found
Fortinet 2.82.0.0 11.21.2006 suspicious
F-Prot 3.16f 11.20.2006 Possibly a new variant of W32/Bongler-based
F-Prot4 4.2.1.29 11.20.2006 W32/Bongler-based
Ikarus 0.2.65.0 11.21.2006 no virus found
Kaspersky 4.0.2.24 11.21.2006 no virus found
McAfee 4901 11.21.2006 no virus found
Microsoft 1.1804 11.21.2006 no virus found
NOD32v2 1876 11.21.2006 a variant of Win32/TrojanDownloader.Busky.AZ
Norman 5.80.02 11.21.2006 no virus found
Panda 9.0.0.4 11.21.2006 no virus found
Prevx1 V2 11.21.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.122 11.21.2006 no virus found
UNA 1.83 11.21.2006 no virus found
VBA32 3.11.1 11.21.2006 no virus found
VirusBuster 4.3.15:9 11.21.2006 no virus found

Complete scanning result of "bkracun.dll_", received in VirusTotal at 11.22.2006, 00:01:51 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.44 11.21.2006 TR/Vundo.Gen
Authentium 4.93.8 11.20.2006 Possibly a new variant of W32/Bongler-based
Avast 4.7.892.0 11.20.2006 no virus found
AVG 386 11.20.2006 no virus found
BitDefender 7.2 11.21.2006 no virus found
CAT-QuickHeal 8.00 11.21.2006 no virus found
ClamAV devel-20060426 11.21.2006 no virus found
DrWeb 4.33 11.21.2006 no virus found
eSafe 7.0.14.0 11.20.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.62 11.21.2006 no virus found
eTrust-Vet 30.3.3205 11.21.2006 no virus found
Ewido 4.0 11.21.2006 no virus found
Fortinet 2.82.0.0 11.21.2006 suspicious
F-Prot 3.16f 11.20.2006 Possibly a new variant of W32/Bongler-based
F-Prot4 4.2.1.29 11.20.2006 W32/Bongler-based
Ikarus 0.2.65.0 11.21.2006 no virus found
Kaspersky 4.0.2.24 11.21.2006 no virus found
McAfee 4901 11.21.2006 no virus found
Microsoft 1.1804 11.21.2006 no virus found
NOD32v2 1876 11.21.2006 a variant of Win32/TrojanDownloader.Busky.AZ
Norman 5.80.02 11.21.2006 no virus found
Panda 9.0.0.4 11.21.2006 no virus found
Prevx1 V2 11.22.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.122 11.21.2006 no virus found
UNA 1.83 11.21.2006 no virus found
VBA32 3.11.1 11.21.2006 no virus found
VirusBuster 4.3.15:9 11.21.2006 no virus found

Complete scanning result of "suikfybh.dll_", received in VirusTotal at 11.22.2006, 00:06:02 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.44 11.21.2006 ADSPY/PurityScan.AK.129
Authentium 4.93.8 11.20.2006 no virus found
Avast 4.7.892.0 11.20.2006 Win32:Agent-RY
AVG 386 11.20.2006 Adware Generic.RSN
BitDefender 7.2 11.21.2006 no virus found
CAT-QuickHeal 8.00 11.21.2006 no virus found
ClamAV devel-20060426 11.21.2006 Trojan.PurityScan.AK
DrWeb 4.33 11.21.2006 no virus found
eSafe 7.0.14.0 11.20.2006 no virus found
eTrust-InoculateIT 23.73.62 11.21.2006 no virus found
eTrust-Vet 30.3.3205 11.21.2006 no virus found
Ewido 4.0 11.21.2006 Adware.PurityScan
Fortinet 2.82.0.0 11.21.2006 Adware/ClickSpring
F-Prot 3.16f 11.20.2006 no virus found
F-Prot4 4.2.1.29 11.20.2006 no virus found
Ikarus 0.2.65.0 11.21.2006 no virus found
Kaspersky 4.0.2.24 11.21.2006 not-a-virus:AdWare.Win32.PurityScan.ak
McAfee 4901 11.21.2006 potentially unwanted program Adware-ClickSpring
Microsoft 1.1804 11.21.2006 no virus found
NOD32v2 1876 11.21.2006 a variant of Win32/Adware.PurityScan
Norman 5.80.02 11.21.2006 W32/PurityScan.AGM
Panda 9.0.0.4 11.21.2006 Suspicious file
Prevx1 V2 11.22.2006 Polynomial.Code.Exploit
Sophos 4.11.0 11.16.2006 ClickSpring
TheHacker 6.0.3.122 11.21.2006 Adware/PurityScan.ak
UNA 1.83 11.21.2006 Adware.PurityScan.39F8
VBA32 3.11.1 11.21.2006 AdWare.Win32.PurityScan.ak
VirusBuster 4.3.15:9 11.21.2006 Adware.ClickSpring.Gen

Will continue with instructions...
skicb
Regular Member
 
Posts: 57
Joined: April 25th, 2005, 11:03 pm

Unread postby skicb » November 21st, 2006, 7:48 pm

Hello again Trogan_1000

vundofix.txt:

VundoFix V6.2.11

Checking Java version...

Scan started at 10:02:53 PM 11/19/2006

Listing files found while scanning....

C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.bak1
C:\WINDOWS\system32\aycdd.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\ddcya.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\aycdd.bak1
C:\WINDOWS\system32\aycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\aycdd.bak2
C:\WINDOWS\system32\aycdd.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Scan started at 10:07:36 PM 11/19/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.2.11

Checking Java version...

Scan started at 6:29:51 PM 11/21/2006

Listing files found while scanning....

C:\WINDOWS\system32\kmllm.ini
C:\WINDOWS\system32\kmllm.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\kmllm.ini
C:\WINDOWS\system32\kmllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\kmllm.bak1
C:\WINDOWS\system32\kmllm.bak1 Has been deleted!

Performing Repairs to the registry.
Done!


rapport.txt:

SmitFraudFix v2.123

Scan done at 18:40:15.54, Tue 11/21/2006
Run from C:\Documents and Settings\test\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\cfltygd.dll FOUND !
C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\test


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\test\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\test\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\VirusBursters\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:46:38 PM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{00006D4D-0A6A-1033-0106-050818040001}\Update.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {00EB110D-5E8E-4D70-9AA4-6E91BB57F1A3} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07535D90-164F-0432-F98E-0AAAC88D266F} - C:\WINDOWS\system32\tcdenj.dll
O2 - BHO: (no name) - {0F049168-504A-C193-0DF2-079B217A8CE9} - C:\WINDOWS\system32\bgnhove.dll
O2 - BHO: (no name) - {18DB85FD-A93B-B90C-C753-016BF42A3EEA} - C:\WINDOWS\system32\bkracun.dll
O2 - BHO: (no name) - {2BC144DF-8FC7-453F-AE9A-CBF6B3EFE2A2} - C:\WINDOWS\system32\mllmk.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {AF99759F-A96C-DDBD-7000-CC891F2833C2} - C:\WINDOWS\system32\suikfybh.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\fishcwke.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: mllmk - C:\WINDOWS\system32\mllmk.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winlvv32 - C:\WINDOWS\SYSTEM32\winlvv32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Have followed all your instructions in your prior post. Thank you for reviewing these.

:)
skicb
Regular Member
 
Posts: 57
Joined: April 25th, 2005, 11:03 pm

Unread postby Trogan » November 22nd, 2006, 11:59 am

Hi skicb! Thank you for the scans and the logs.

Lets see if we can find out what Display Utility belongs to before removing it. Please check if this folder exists:

C:\Program Files\Display Utility

If it does, open it and a make a list of what files are inside. If there are too mant to list, just write down a few. Post the list back here first and then continue with the main fix, which is a bit long.
__________________________

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

We need to get a file uploaded so VundoFix can get updated.

  • Please go here to Upload Malware
  • Fill out the infomation, and post the link to this thread.
  • In the File(s) To Submit: box 1. copy and paste the following:
    • C:\WINDOWS\SYSTEM32\winlvv32.dll
  • Click on Send File and close the page
__________________________

Next, download and run the OiUninstaller uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller, if needed

Reboot your computer!
__________________________

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {00EB110D-5E8E-4D70-9AA4-6E91BB57F1A3} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: (no name) - {07535D90-164F-0432-F98E-0AAAC88D266F} - C:\WINDOWS\system32\tcdenj.dll
O2 - BHO: (no name) - {0F049168-504A-C193-0DF2-079B217A8CE9} - C:\WINDOWS\system32\bgnhove.dll
O2 - BHO: (no name) - {18DB85FD-A93B-B90C-C753-016BF42A3EEA} - C:\WINDOWS\system32\bkracun.dll
O2 - BHO: (no name) - {2BC144DF-8FC7-453F-AE9A-CBF6B3EFE2A2} - C:\WINDOWS\system32\mllmk.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {AF99759F-A96C-DDBD-7000-CC891F2833C2} - C:\WINDOWS\system32\suikfybh.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\fishcwke.dll (file missing)

O20 - Winlogon Notify: mllmk - C:\WINDOWS\system32\mllmk.dll (file missing)


- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

Run HijackThis again and click on Open the Misc Tools section.
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

O20 - Winlogon Notify: winlvv32 - C:\WINDOWS\SYSTEM32\winlvv32.dll

When you are asked "Do you want to restart your computer now?", click OK.

Your PC MUST reboot to delete the file!

After the computer has rebooted, remove this entry with HijackThis:

O20 - Winlogon Notify: winlvv32 - C:\WINDOWS\SYSTEM32\winlvv32.dll (file missing)
__________________________

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.
__________________________

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Download combofix.exe and save it to your Desktop.

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall
______________________________

Please post the following:
  1. c:\rapport.txt
  2. ComboFix log
  3. AVG Anti-Spyware log
  4. A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby skicb » November 22nd, 2006, 3:44 pm

can these instructions be done in stages or should they all be done in one session?

Thanks
:)
skicb
Regular Member
 
Posts: 57
Joined: April 25th, 2005, 11:03 pm

Unread postby Trogan » November 22nd, 2006, 4:05 pm

In one session to fully tackle the infections. :)
Last edited by Trogan on November 23rd, 2006, 3:44 pm, edited 1 time in total.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby skicb » November 23rd, 2006, 3:33 pm

Okay, here we go :)

SmitFraudFix v2.123

Scan done at 11:47:57.18, Thu 11/23/2006
Run from C:\Documents and Settings\test\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\Program Files\VirusBursters\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
test - 06-11-23 14:19:05.65 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\test\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components
C:\Program Files\Common Files\{00006D4D-0A6A-1033-0106-050818040001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\test\Application Data\WNSXS~1
C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\Program Files\Common Files\TSKS~1
C:\QooBox\Purity\Program Files\STEM32~1\??stem32
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1


((((((((((((((((((((((((((((((( Files Created from 2006-10-23 to 2006-11-23 ))))))))))))))))))))))))))))))))))


2006-11-23 11:36 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-21 18:40 3,454 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-21 18:39 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-21 18:39 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-21 18:39 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-21 18:39 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-20 19:40 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-11-20 19:40 <DIR> d-------- C:\Program Files\Zone Labs
2006-11-20 19:38 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-11-20 19:35 <DIR> dr-h----- C:\$VAULT$.AVG
2006-11-20 19:34 <DIR> d-------- C:\Documents and Settings\test\Application Data\AVG7
2006-11-20 19:33 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-20 19:33 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-20 19:33 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-20 19:33 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-20 19:33 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-20 19:33 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-20 19:33 <DIR> d-------- C:\Program Files\Grisoft
2006-11-20 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-11-20 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-11-19 22:03 1,492 --a------ C:\WINDOWSvundofix.reg
2006-11-19 22:02 <DIR> d-------- C:\VundoFix Backups
2006-11-19 20:56 <DIR> d-------- C:\WINDOWS\WBEM
2006-11-19 20:53 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-11-19 20:50 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-19 20:44 94,208 --a------ C:\WINDOWS\system32\exclgse.dll
2006-11-19 20:44 71,168 --a------ C:\WINDOWS\system32\bkracun.dll
2006-11-19 18:06 94,208 --a------ C:\WINDOWS\system32\cpktepe.dll
2006-11-19 18:06 71,680 --a------ C:\WINDOWS\system32\tcdenj.dll
2006-11-17 06:27 <DIR> d-------- C:\Documents and Settings\All Users\Desktop
2006-11-16 06:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-16 06:01 <DIR> d-------- C:\628afec30667c8ee3c460b
2006-11-09 18:33 110,612 --a------ C:\WINDOWS\system32\jkclwifk.exe
2006-11-09 18:33 <DIR> d-------- C:\Program Files\VSAdd-in
2006-11-09 18:19 93,696 --a------ C:\WINDOWS\system32\ybzxmpd.dll
2006-11-09 18:19 72,704 --a------ C:\WINDOWS\system32\bgnhove.dll
2006-11-08 22:00 877,568 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2006-11-08 22:00 780,288 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll
2006-11-08 22:00 778,240 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll
2006-11-08 22:00 764,416 --a------ C:\WINDOWS\system32\NCTRMFile.dll
2006-11-08 22:00 495,104 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll
2006-11-08 22:00 382,464 --a------ C:\WINDOWS\system32\NCTAVIFile.dll
2006-11-08 22:00 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2006-11-08 22:00 249,856 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll
2006-11-08 22:00 215,552 --a------ C:\WINDOWS\system32\NCTWMVFile.dll
2006-11-08 22:00 2,846,720 --a------ C:\WINDOWS\system32\NCTAudioCompress3.dll
2006-11-08 22:00 188,416 --a------ C:\WINDOWS\system32\NCTVideoFile.dll
2006-11-08 22:00 126,464 --a------ C:\WINDOWS\system32\lame_enc.dll
2006-11-08 22:00 <DIR> d-------- C:\WINDOWS\system32\RMBin
2006-11-08 22:00 <DIR> d-------- C:\Program Files\AliveMedia
2006-11-07 03:26 13,312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-04 23:18 <DIR> d-------- C:\Program Files\iTunes
2006-11-04 23:15 <DIR> d--hs---- C:\Config.Msi
2006-11-04 23:15 <DIR> d-------- C:\Program Files\QuickTime
2006-11-04 23:14 <DIR> d-------- C:\Program Files\Apple Software Update
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-02 19:31 <DIR> d-------- C:\Documents and Settings\test\Application Data\Opera
2006-11-02 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2006-11-02 18:34 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-11-02 18:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-11-02 18:24 <DIR> d-------- C:\Program Files\DAEMON Tools
2006-11-02 16:30 611,064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-11-01 14:51 <DIR> d-------- C:\Program Files\Morpheus Toolbar
2006-10-31 15:44 <DIR> d--h----- C:\WINDOWS\PIF


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-23 14:20 -------- d-a------ C:\Program Files\Common Files
2006-11-22 09:25 -------- d-------- C:\Program Files\Lesmd
2006-11-21 18:13 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-19 21:02 -------- d-a------ C:\Program Files\Internet Explorer
2006-11-19 21:02 -------- d-------- C:\Program Files\WinRAR
2006-11-19 16:15 -------- d-------- C:\Program Files\PeDevice
2006-11-19 15:19 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-12 13:35 -------- d-------- C:\Program Files\Morpheus
2006-11-07 21:03 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 23:18 -------- d-------- C:\Program Files\iPod
2006-11-03 15:30 -------- d-------- C:\Documents and Settings\test\Application Data\Adobe
2006-11-02 18:39 -------- d-------- C:\Program Files\Adobe
2006-11-02 18:36 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-28 09:27 -------- d-------- C:\Program Files\AWS
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --a------ C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --a------ C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --a------ C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --a------ C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-09-19 15:43 109360 --a------ C:\WINDOWS\system32\GEARAspi.dll
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 16:43 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
@=""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /Minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Media Connect 2"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=dword:00000003
"Schedule"=dword:00000002
"SamSs"=dword:00000002
"RasMan"=dword:00000003
"ERSvc"=dword:00000002
"NVSvc"=dword:00000002
"IDriverT"=dword:00000003

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061123-113004-130
O20 - Winlogon Notify: winlvv32 - winlvv32.dll (file missing)
backup-20061123-111904-675
O20 - Winlogon Notify: mllmk - C:\WINDOWS\system32\mllmk.dll (file missing)
backup-20061123-111904-814
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
backup-20061123-111904-682
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\fishcwke.dll (file missing)
backup-20061123-111904-547
O2 - BHO: (no name) - {2BC144DF-8FC7-453F-AE9A-CBF6B3EFE2A2} - C:\WINDOWS\system32\mllmk.dll (file missing)
backup-20061123-111904-911
O2 - BHO: (no name) - {18DB85FD-A93B-B90C-C753-016BF42A3EEA} - C:\WINDOWS\system32\bkracun.dll
backup-20061123-111904-889
O2 - BHO: (no name) - {0F049168-504A-C193-0DF2-079B217A8CE9} - C:\WINDOWS\system32\bgnhove.dll
backup-20061123-111904-299
O2 - BHO: (no name) - {07535D90-164F-0432-F98E-0AAAC88D266F} - C:\WINDOWS\system32\tcdenj.dll
backup-20061123-111904-506
O2 - BHO: (no name) - {00EB110D-5E8E-4D70-9AA4-6E91BB57F1A3} - C:\WINDOWS\system32\ddcya.dll (file missing)
backup-20061119-211407-747
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30006D4D-0A6A-1033-0106-050818040001}\888.dll
backup-20061119-211350-658
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30006D4D-0A6A-1033-0106-050818040001}\888.dll
backup-20061119-211350-727
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll
backup-20061119-211246-515
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgod.dll,startup
backup-20061119-211246-714
O4 - HKLM\..\Run: [exclgse.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\exclgse.dll,givigpe
backup-20061119-211138-881
O11 - Options group: [INTERNATIONAL] International*
backup-20061119-211138-405
R3 - URLSearchHook: (no name) - {AF99759F-A96C-DDBD-7000-CC891F2833C2} - C:\WINDOWS\system32\suikfybh.dll
backup-20061119-211138-245
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30006D4D-0A6A-1033-0106-050818040001}\888.dll
backup-20061119-211138-849
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20061119-192909-281
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
backup-20061119-185011-671
O4 - Startup: iexplore.exe
backup-20061119-185011-360
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
backup-20061119-185011-443
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
backup-20061119-184716-427
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9185928859
backup-20061119-184716-605
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
backup-20061119-184716-259
O4 - Startup: iexplore.exe
backup-20061119-184716-678
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
backup-20061119-184716-864
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
backup-20061119-184716-573
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... .xbox.com/
backup-20061119-181351-446
O4 - Startup: iexplore.exe
backup-20061119-181351-826
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20061119-181351-179
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
backup-20061119-181351-326
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... r.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
backup-20061119-181351-616
R3 - URLSearchHook: (no name) - {7DEB0398-8C34-A8EC-7955-B9CE6BCFEDC9} - C:\WINDOWS\system32\potjvd.dll
backup-20061119-181351-836
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20061119-150743-265
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - C:\WINDOWS\system32\cfltygd.dll
backup-20061119-150743-260
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
backup-20061119-150743-781
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
backup-20061119-150743-169
R3 - URLSearchHook: (no name) - {C97B0B9C-D56C-F5B9-2DE0-B29EFE4652C0} - C:\WINDOWS\system32\zbhbm.dll
backup-20061119-150743-364
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
backup-20061119-150743-898
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
backup-20061119-150743-262
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
backup-20061119-150743-866
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20061119-150743-165
O4 - HKLM\..\Run: [ybzxmpd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ybzxmpd.dll,fnnccue
backup-20060325-161159-368
O11 - Options group: [INTERNATIONAL] International*
backup-20060325-161159-816
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
backup-20060325-161158-139
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
backup-20050619-215254-347
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
backup-20050619-215254-264
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
backup-20050619-214837-300
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
backup-20050619-214837-340
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
backup-20050619-214837-406
O15 - Trusted Zone: *.media-motor.net
backup-20050619-214837-968
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
backup-20050619-214837-827
O15 - Trusted Zone: *.popuppers.com
backup-20050619-214837-383
O4 - HKCU\..\RunOnce: [qf2x7.exe] C:\WINDOWS\System32\qf2x7.exe /k
backup-20050619-214837-105
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
backup-20050619-214837-988
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
backup-20050619-214837-155
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
backup-20050619-214837-745
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
backup-20050619-214837-606
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
backup-20050619-214837-603
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
backup-20050619-214837-568
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
backup-20050619-214837-546
O4 - HKLM\..\Run: [Pparexcq] C:\Program Files\Lesmd\Lolk.exe
backup-20050619-214837-613
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
backup-20050619-214837-621
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
backup-20050619-214837-211
O4 - HKLM\..\Run: [zanu] c:\program files\zangoclient\zanu.exe
backup-20050619-214837-944
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
backup-20050619-214837-361
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
backup-20050619-214837-354
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
backup-20050619-214837-293
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
backup-20050619-214837-275
O4 - HKLM\..\RunOnce: [qf2x7.exe] C:\WINDOWS\System32\qf2x7.exe /k
backup-20050619-214837-435
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
backup-20050619-214837-780
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\cb2rqfk.dll (file missing)
backup-20050619-214837-385
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\system32\brg.dll
backup-20050619-214837-123
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
backup-20050512-205208-989
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
backup-20050512-204706-126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
backup-20050512-204706-120
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
backup-20050512-204706-458
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
backup-20050512-204617-314
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
backup-20050512-204602-869
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
backup-20050512-204602-859
O15 - Trusted Zone: *.popuppers.com
backup-20050512-204602-681
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
backup-20050512-204602-649
O15 - Trusted Zone: *.media-motor.net
backup-20050512-204602-952
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
backup-20050510-163038-130
O15 - Trusted Zone: *.popuppers.com
backup-20050510-163038-827
O15 - Trusted Zone: *.media-motor.net
backup-20050510-163015-809
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTickets ... refid=3160
backup-20050510-163015-698
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
backup-20050510-163015-175
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
backup-20050510-163014-735
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
backup-20050510-163014-247
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Media ... ge-c18.cab
backup-20050510-163014-158
O15 - Trusted Zone: *.media-motor.net
backup-20050510-163014-480
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
backup-20050510-163014-343
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
backup-20050510-163014-948
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
backup-20050510-163014-980
O15 - Trusted Zone: *.popuppers.com
backup-20050510-163014-750
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20050505-225717-167
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
backup-20050505-225633-362
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
backup-20050505-225633-539
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
backup-20050505-225633-194
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
backup-20050505-225633-143
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\cb2rqfk.dll
backup-20050505-225633-238
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
backup-20050505-225633-321
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-11-23 14:22:30.37
C:\ComboFix.txt ... 06-11-23 14:22


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:08:01 PM 11/23/2006

+ Scan result:



C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP128\A0009668.dll -> Adware.Aws : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-3482209959-4056040374-1449709486-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39F25B12-74FF-4079-A51F-1D70F5B08B84} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\test\Desktop\OiUninstaller.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP147\A0011940.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP154\A0012159.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP163\A0012895.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{00006D4D-0A6A-1033-0106-050818040001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{00006D4D-0A6A-1033-0106-050818040001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP147\A0011929.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP148\A0011979.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP148\A0011983.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP148\A0011984.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP155\A0012263.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\efcyaax.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\geebyvs.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssqrsst.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP163\A0012936.exe -> Adware.VirusBurst.c : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Toolbar -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Toolbar\PlugIns -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP140\A0011510.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP147\A0011933.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP149\A0011989.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP140\A0011509.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP147\A0011932.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP149\A0011990.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP140\A0011512.exe -> Downloader.Zlob.avv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP140\A0011513.exe -> Downloader.Zlob.avv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP145\A0011677.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP154\A0012252.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP155\A0012274.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP159\A0012445.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP159\A0012457.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP160\A0012559.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP160\A0012574.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP161\A0012742.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP163\A0012904.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP163\A0012915.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP163\A0012927.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP138\A0011462.exe -> Hijacker.VB.qb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP148\A0011954.exe -> Hijacker.VB.qb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP161\A0012731.exe -> Hijacker.VB.qb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP161\A0012732.exe -> Hijacker.VB.qb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP161\A0012733.exe -> Hijacker.VB.qb : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.47:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.48:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.59:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.80:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.81:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.82:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.111:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.112:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.113:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.114:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.115:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.118:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.25:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.26:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.27:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.51:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.52:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.53:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.54:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.56:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.20:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.133:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.116:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.117:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.119:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.22:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.25:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.70:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.71:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.72:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.73:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.74:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.75:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.76:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.77:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.78:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.28:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.29:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.30:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.31:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.32:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.33:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.129:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.145:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.146:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.147:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.148:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.152:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.60:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.61:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.62:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.37:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.38:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.39:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.87:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.88:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.89:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.90:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.91:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.92:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.158:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.140:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.141:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.142:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.22:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.23:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.24:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.33:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.34:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.40:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.41:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.42:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\0i6scip8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.17:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.18:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.19:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.20:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.21:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\9cn7jobc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP146\A0011703.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\HijackThis\backups\backup-20050505-225633-143.dll -> Trojan.Delf.cf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP161\A0012730.dll -> Trojan.Kolweb.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP161\A0012735.sys -> Trojan.Kolweb.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP161\A0012737.dll -> Trojan.Kolweb.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP161\A0012744.exe -> Trojan.Kolweb.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP161\A0012747.sys -> Trojan.Kolweb.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP161\A0012741.exe -> Trojan.Kolweb.d : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DFE557A5-2C84-4D33-8CD3-74AF8D857803}\RP161\A0012734.exe -> Trojan.Small.cy : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 2:26:12 PM, on 11/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\Scanner.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


:D
skicb
Regular Member
 
Posts: 57
Joined: April 25th, 2005, 11:03 pm

Unread postby Trogan » November 23rd, 2006, 4:53 pm

Hi skicb,

Thanks for the logs. I'm looking at the ComboFix log now and that will take some tme. Did you manage to find out anything in the Display Utility folder?
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Trogan » November 23rd, 2006, 7:19 pm

Hi skicb! Please do the following...

Find and delete the following folder in RED:

C:\Program Files\VSAdd-in

You can also delete these tools:

SmitfraudFix
VundoFix
ComboFix

__________________________________

Please download Killbox and save it to your desktop.

Next, copy everything in the Quote box below by pressing Ctrl+C
C:\WINDOWS\system32\exclgse.dll
C:\WINDOWS\system32\bkracun.dll
C:\WINDOWS\system32\cpktepe.dll
C:\WINDOWS\system32\tcdenj.dll
C:\WINDOWS\system32\jkclwifk.exe
C:\WINDOWS\system32\ybzxmpd.dll
C:\WINDOWS\system32\bgnhove.dll

Next, open Killbox
Go to File tab and select Paste from Clipboard
Select the Delete on Reboot option
Select All Files
Now click on the Red Circle with the White X
Press Yes to reboot your computer.
__________________________________

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement."
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
    • Java 2 Runtime Environment, SE v1.4.1_02
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
__________________________________

Please let me know how the computer is now. Also, let me know about Display Utility.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby skicb » November 23rd, 2006, 10:28 pm

Display Utility is empty. It shows up as a program in control panel in add/remove programs.

Will finish up the final instx shortly.

Thanks for your continuing help!
skicb
Regular Member
 
Posts: 57
Joined: April 25th, 2005, 11:03 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 34 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware