Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

got some nasties - help please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

got some nasties - help please

Unread postby Twyst » May 25th, 2007, 5:25 pm

Tried a lot of things and keep getting smitfraud-c.toolbar888 with my spybot S&D searches. Delete it and it comes back. Seems like it is downloading other nasties too. Have managed to get rid of a few things but new ones replace them almost as quick or quicker. If you could look at my HijackThis log and give me whatever help you can I'd appreciate it very much.

Logfile of HijackThis v1.99.1
Scan saved at 5:14:01 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\NOTEDAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Sucks Like Bill Gates
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27d19fdf-efd0-42a9-a74c-2638d5738a1b} - C:\WINDOWS\system32\conlog.dll
O2 - BHO: (no name) - {491AF6C5-21F2-46E1-C653-3DF529127D7B} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {724d43a0-0d85-11d4-9908-00400523e39a} - (no file)
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: conlog - C:\WINDOWS\SYSTEM32\conlog.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe


Thanks for looking!

Twyst
Twyst
Regular Member
 
Posts: 23
Joined: May 25th, 2007, 4:47 pm
Advertisement
Register to Remove

Unread postby Katana » May 26th, 2007, 4:33 am

Hello Twyst and welcome to The Malware Removal Forums.

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please note that I am training, this means that any reply I give to you has to be checked first by an expert.
I apologize for any delay this might cause.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.

If you can do those two things, everything should go smoothly :D

I am looking at your log and will get back as soon as possible.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Katana » May 26th, 2007, 10:43 am

Hi Twyst,
Do you use Chinese gaming forums by any chance ? If so I am afraid your password and user details may be compromised
Please see here for more details

Also did you set the Internet page title to Internet Explorer Sucks Like Bill Gates

VundoFix
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download and Run ComboFix
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Rerun HJT to create a fresh log.
In your reply please include
  1. A fresh HJT log
  2. ComboFix log
  3. vundofix.txt
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Twyst » May 27th, 2007, 1:55 pm

I don't play any Chinese gaming sites that I know of but... Would that compromise all passwords stored on my system? Here are the requested logs, it's a lot of reading hope you got time lol. Ohh yeah yes I changed the Internet Explorer headline to Internet Explorer Sucks Like Bill Gates. Btw while doing the scans you requested an Internet Explorer icon popped up on my desktop and my system was changed to make it my primary browser.


VundoFix V6.4.1

Checking Java version...

Scan started at 1:13:31 PM 5/27/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

"Owner" - 2007-05-27 13:31:03 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Owner\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awtqrol.dll
C:\WINDOWS\system32\conlog.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\install.log"
"C:\windows\system32\explorer.exe"
"C:\WINDOWS\notedad.exe"
"C:\WINDOWS\system32\mp43.exe"


((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))


2007-05-27 13:13 <DIR> d-------- C:\VundoFix Backups
2007-05-26 12:00 106,459 --a------ C:\WINDOWS\byywwx.dll
2007-05-25 17:34 106,459 --a------ C:\WINDOWS\mlmjji.dll
2007-05-25 14:03 106,578 --a------ C:\WINDOWS\fcyyvu.dll
2007-05-25 11:37 106,578 --a------ C:\WINDOWS\rqolii.dll
2007-05-25 11:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-24 13:18 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-05-24 10:31 106,471 --a------ C:\WINDOWS\opopqq.dll
2007-05-23 23:08 106,368 --a------ C:\WINDOWS\ursrpq.dll
2007-05-23 19:11 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-23 19:11 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-23 19:11 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-23 10:29 828,307 ---hs---- C:\WINDOWS\pprutv.ini2
2007-05-23 02:16 106,428 --a------ C:\WINDOWS\vturpp.dll
2007-05-23 00:17 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-05-23 00:17 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-05-23 00:17 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-23 00:17 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-05-23 00:17 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-05-23 00:17 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-05-23 00:17 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PC Tools
2007-05-23 00:16 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-22 21:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1.YOU\APPLIC~1\Lavasoft
2007-05-21 17:30 106,412 --a------ C:\WINDOWS\ssqpml.dll
2007-05-18 15:47 106,481 --a------ C:\WINDOWS\dddayy.dll
2007-05-18 15:32 106,492 --a------ C:\WINDOWS\efcbbb.dll
2007-05-18 15:28 34,855 --a------ C:\WINDOWS\system32\pmkjk.exe
2007-05-18 14:39 <DIR> d-------- C:\Program Files\Real
2007-05-18 14:38 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Real
2007-05-18 14:18 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-05-18 14:18 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-05-18 14:18 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-05-18 14:18 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-05-18 14:18 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-05-18 14:18 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-05-18 14:18 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 14:33:53 -------- d-----w C:\Program Files\Full Tilt Poker
2007-05-27 13:45:31 -------- d-----w C:\Program Files\Poker Indicator
2007-05-25 00:23:54 -------- d-----w C:\Program Files\Diablo II
2007-05-24 08:00:39 60 ----a-w C:\WINDOWS\system32\SYSDRV.DAT
2007-05-23 00:31:02 -------- d-----w C:\Program Files\Macrogaming
2007-05-22 16:36:23 9,132 ----a-w C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-05-22 04:12:39 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-19 13:26:22 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-05-18 18:46:40 -------- d-----w C:\Program Files\Common Files\Real
2007-05-15 05:55:19 -------- d-----w C:\Program Files\PokerStars
2007-05-15 04:39:47 -------- d-----w C:\Program Files\UltimateBet
2007-05-15 03:10:23 -------- d-----w C:\Program Files\TexasCalculatem
2007-05-13 03:36:07 -------- d-----w C:\Program Files\UltimateBuddy
2007-04-23 15:36:12 -------- d-----w C:\Program Files\Windows Live Safety Center
2007-04-09 18:21:46 -------- d-----w C:\Program Files\HollywoodPoker
2007-04-08 17:36:35 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Screenshot Sender
2007-03-28 23:11:00 -------- d-----w C:\Program Files\Microsoft Works
2007-03-16 17:02:27 11,132 ----a-w C:\WINDOWS\mozver.dat
2005-03-15 01:42:05 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{491AF6C5-21F2-46E1-C653-3DF529127D7B}=C:\WINDOWS\wcidBHO.dll [2006-12-18 22:07]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{85CF4327-68DE-1974-B32E-766E84A9706C}=C:\WINDOWS\wcidBHO.dll [2006-12-18 22:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 19:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"CHotkey"="zHotkey.exe" []
"ShowWnd"="ShowWnd.exe" []
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-10-18 18:05]
"SoundMan"="SOUNDMAN.EXE" []
"AlcWzrd"="ALCWZRD.EXE" []
"Alcmtr"="ALCMTR.EXE" []
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 07:32]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 04:51]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 09:16]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 16:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 17:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58f1d921-38a1-11d9-8b21-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73ca15af-5f69-11d9-ab64-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 13:35:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo! Pager = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet??g

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-27 13:37:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-27 13:37

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 1:42:50 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {491AF6C5-21F2-46E1-C653-3DF529127D7B} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {724d43a0-0d85-11d4-9908-00400523e39a} - (no file)
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-seg.gc.ca/applets/e ... et-epf.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

Thanks for your time thus far.
Twyst
Twyst
Regular Member
 
Posts: 23
Joined: May 25th, 2007, 4:47 pm

Unread postby Katana » May 28th, 2007, 8:30 am

Hi Twyst
I don't play any Chinese gaming sites that I know of but... Would that compromise all passwords stored on my system?
it's a lot of reading hope you got time lol.
Btw while doing the scans you requested an Internet Explorer icon popped up on my desktop and my system was changed to make it my primary browser.

I'll check on the password issue for you.
Yes it a lot of reading, so please don't panic if I am a while :D
Which browser do you normally use ?
You have a few poker programs on there. There have been some issues with these type of programs so I will have to check if they are safe.

Installed Programs
Please could you give me a list of the programs that are installed. This will help me create a fix for you.
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Twyst » May 28th, 2007, 12:28 pm

Hello again. I usually use Mozilla Firefox as my browser. Here is the program list you requested, not so much reading this time.

4PLAY 4.95 for Windows 95
Ad-Aware SE Personal
Adobe Reader 7.0.9
Ambush Pack 1.00 for Pocket Tanks Deluxe
avast! Antivirus
BigFix
Brother BRAdmin Professional 2.42
Brother Internet Fax 2.02
Brother MFL-Pro Suite
CCleaner (remove only)
Chaos Pack 1.00 for Pocket Tanks Deluxe
CheckIt Diagnostics
Cucusoft AVI to DVD/VCD/SVCD/MPEG Converter Pro 4.29
Diablo II
Digital Media Reader
Disney's Winnie the Pooh Toddler
Drug Lord 2
Flamethrower Pack 1.00a for Pocket Tanks Deluxe
Full Tilt Poker
Google Earth
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
HollywoodPoker.com (remove only)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
Java 2 Runtime Environment, SE v1.4.2
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
LEGO Racers 2
Messenger Plus! Live
Meteor Pack 1.00 for Pocket Tanks Deluxe
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft ActiveSync 3.8
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games Pocket Pak for Pocket PC
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Picture It! Photo Premium 9
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mozilla Firefox (2.0.0.3)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Multimedia Keyboard Driver
Nero BurnRights
Nero OEM
Norton Confidence Online
Nuke Pack 1.00 for Pocket Tanks Deluxe
NYKO AirFlo Controller v0.1
PaperPort
Pocket StripPoker
Pocket Tanks Deluxe 1.00a
Poker Indicator 1.9.2
PokerStars
Power Pack 1.00 for Pocket Tanks Deluxe
PowerDVD
QuickTax 2004
Realtek High Definition Audio Driver
Scholastic's The Magic School Bus ® Explores Bugs
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Shareaza version 2.2.1.0
Sid Meier's Pirates!
SoftV92 Data Fax Modem with SmartCP
Spybot - Search & Destroy 1.4
Spyware Doctor 5.0
Texas Calculatem 4 with "AutoRead"
Titan Poker
TMPGEnc 3.0 XPress
TMPGEnc DVD Author 1.6
UltimateBet
UltimateBuddy
Viewpoint Media Player
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
Yahoo! Messenger

Have a Great Day!

Twyst
Twyst
Regular Member
 
Posts: 23
Joined: May 25th, 2007, 4:47 pm

Unread postby Katana » May 28th, 2007, 3:40 pm

Hi Twyst
Note: Please do not use Shareaza whilst we are trying to clean your machine

Flash Disinfector by sUBs
Please downloadFlash_Disinfector.exe by sUBs and save it to your desktop:
  • Double-click Flash_Disinfector.exe to run it.
  • Follow any prompts that may appear.
  • Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.


Please restart your computer

Submit a File To Jotti
We need to have the files below Scanned by Uploading them to Jotti

Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following files: C:\WINDOWS\system32\SYSDRV.DAT
Click Open
Please repeat for the following
C:\WINDOWS\system32\drivers\iksyssec.sys
C:\WINDOWS\system32\drivers\iksysflt.sys
C:\WINDOWS\system32\drivers\ikfilesec.sys
C:\WINDOWS\system32\drivers\ikfileflt.sys
C:\WINDOWS\system32\drivers\kcom.sys
C:\WINDOWS\ssqpml.dll


Please post back, to let me know the results.


Show All Files And Folders
Now you need to show all files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Delete Files
Find and delete the following Files if present
C:\WINDOWS\system32\pmkjk.exe << This file
C:\WINDOWS\vturpp.dll << This file
C:\WINDOWS\pprutv.ini2 << This file
C:\WINDOWS\ursrpq.dll << This file
C:\WINDOWS\opopqq.dll << This file
C:\WINDOWS\rqolii.dll << This file
C:\WINDOWS\fcyyvu.dll << This file
C:\WINDOWS\mlmjji.dll << This file
C:\WINDOWS\byywwx.dll << This file
C:\WINDOWS\efcbbb.dll << This file
C:\WINDOWS\dddayy.dll << This file
C:\WINDOWS\ssqpml.dll << This file


: Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:
  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
Second:
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

Move HJT
Important
Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from a Zip file or from Temporary folders because the backups will be deleted. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

1. Please go to you're main drive (usually C:), right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {724d43a0-0d85-11d4-9908-00400523e39a} - (no file)
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O11 - Options group: [INTERNATIONAL] International*

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Please post a Fresh copy HJT log along with the results from jotti in your next post
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Twyst » May 28th, 2007, 4:51 pm

Here are the results of Jotti.

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: SYSDRV.DAT
Status:
OK
MD5 9549f6434d1be315a31a217b3cb4fb0a
Packers detected:
-
Scanner results
Scan taken on 28 May 2007 20:37:28 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Powered by
images/asquared.png images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/fortinet.gif images/kaspersky.png images/nod32.gif images/norman.png images/panda.png images/rising.gif images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
Statistics
Last file scanned at least one scanner reported something about: 哈哈1.1.exe (MD5: 846c861cf34c0561e5b4c5ae3e27bc9d, size: 739328 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir HEUR/Malware
ArcaVir X
Avast Win32:Hupigon-FB
AVG Antivirus X
BitDefender Generic.Graybird.9934222E
ClamAV X
Dr.Web BackDoor.Pigeon.2098
F-Prot Antivirus X
F-Secure Anti-Virus Backdoor.Win32.Hupigon.dev
Fortinet X
Kaspersky Anti-Virus Backdoor.Win32.Hupigon.dev
NOD32 a variant of Win32/Hupigon
Norman Virus Control W32/Hupigon.ARCB
Panda Antivirus X
Rising Antivirus Backdoor.Gpigeon.vom
VirusBuster X
VBA32 Malware.Agent.136


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

Going ahead with the rest of your transmission now.

Have a great day!!!!

Twyst
Twyst
Regular Member
 
Posts: 23
Joined: May 25th, 2007, 4:47 pm

Unread postby Twyst » May 28th, 2007, 5:10 pm

As requested here is the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 5:08:02 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {491AF6C5-21F2-46E1-C653-3DF529127D7B} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-seg.gc.ca/applets/e ... et-epf.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

Still wishing you a great day!!!

Twyst
Twyst
Regular Member
 
Posts: 23
Joined: May 25th, 2007, 4:47 pm

Unread postby Katana » May 28th, 2007, 5:31 pm

Hi Twyst

Do you have the results for the other files ?

Submit a File To Jotti
We need to have the files below Scanned by Uploading them to Jotti

Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following files: C:\WINDOWS\system32\SYSDRV.DAT
Click Open
Please repeat for the following
C:\WINDOWS\system32\drivers\iksyssec.sys
C:\WINDOWS\system32\drivers\iksysflt.sys
C:\WINDOWS\system32\drivers\ikfilesec.sys
C:\WINDOWS\system32\drivers\ikfileflt.sys
C:\WINDOWS\system32\drivers\kcom.sys


You only need to post this section for each file
File: SYSDRV.DAT
Status:
OK
MD5 9549f6434d1be315a31a217b3cb4fb0a
Packers detected:
-
Scanner results
Scan taken on 28 May 2007 20:37:28 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Twyst » May 28th, 2007, 6:13 pm

Sorry about that Katana I missed the additional ones here they are.


File: kcom.sys
Status:
OK
MD5 2b5a734afc7e13fe4c2d4fb9b6428883
Packers detected:
-
Scanner results
Scan taken on 28 May 2007 22:01:59 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

File: ikfileflt.sys
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 34f40507dddb19700914eb09862fc74d
Packers detected:
-
Scanner results
Scan taken on 28 May 2007 22:06:16 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

File: ikfilesec.sys
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 86882f5132bc9807863ee8f631a51b40
Packers detected:
-
Scanner results
Scan taken on 28 May 2007 22:07:58 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

File: iksysflt.sys
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 dbf937414b9630252cb48e6863139c54
Packers detected:
-
Scanner results
Scan taken on 28 May 2007 22:09:32 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

File: iksyssec.sys
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 57a34b3b557b924e7b6655ad20f031cc
Packers detected:
-
Scanner results
Scan taken on 28 May 2007 22:11:05 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


Happy Hunting

Twyst
Twyst
Regular Member
 
Posts: 23
Joined: May 25th, 2007, 4:47 pm

Unread postby Katana » May 29th, 2007, 11:26 am

Hi Twyst

Thats great :D
All those files were clean, which is good !!

Your log is looking much better now
Would that compromise all passwords stored on my system?

As far as we can tell it is just game login details that the password stealer grabs.

Regarding Firefox, to restore it to the default browser
Open FireFox click Tools >> Options >> Main and put a check mark in the box at the bottom, then click OK


If you didn't install these programs I would recommend you remove them.
The Programs indicated with "**" I would recommend you remove even if you did install them deliberatley
Remove Programs
Now click Start---Control Panel. Double click Add or Remove Programs. If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
  • Full Tilt Poker
  • Poker Indicator 1.9.2 **
  • PokerStars **
  • UltimateBet **
  • Texas Calculatem 4 with "AutoRead"
  • UltimateBuddy **
  • HollywoodPoker.com
  • Full Tilt Poker
  • Shareaza version 2.2.1.0
  • Pocket StripPoker
Now close the Control Panel.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u1
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnerable to infections.
Please download the newest version here:
http://www.adobe.com/uk/products/reader/

Install it, then go to Add Remove Programs and remove any older versions that may remain.

Download AVG Anti-Spyware
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.


Run AVG
Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine[/color] (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.


Please post the AVG report in your reply along with a new HJT log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Twyst » May 29th, 2007, 5:29 pm

Howdy! Well I had the same problem for both the updates you requested I do. The message I received was "The Windows Installer Service could not be accessed. This can occur if you are running Windows in Safe Mode, or if Windows Installer is not Correctly Installed. Contact Your Support Personel for Assistance."
Attached is the AVG log and HJT log you requested though. Also I'm not sure if I should start a new topic for this but when I run CCleaner now I get a message "Error In InetCpl Missing Entry: ClearMyTracksByProcess", could this be related?

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:36:04 PM 5/29/2007

+ Scan result:



C:\WINDOWS\Titan Poker setup.exe -> Adware.Casino : No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\Explorer.exe.vir -> Hijacker.VB.re : No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP709\A0229928.exe -> Hijacker.VB.re : No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP709\A0229959.exe -> Hijacker.VB.re : No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP710\A0232038.exe -> Hijacker.VB.re : No action taken.
:mozilla.11:C:\RECYCLER\NPROTECT\00327425.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.12:C:\RECYCLER\NPROTECT\00327426.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.13:C:\RECYCLER\NPROTECT\00327426.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.13:C:\RECYCLER\NPROTECT\00327501.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.14:C:\RECYCLER\NPROTECT\00327472.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.14:C:\RECYCLER\NPROTECT\00327501.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.15:C:\RECYCLER\NPROTECT\00327472.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\RECYCLER\NPROTECT\00327425.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\RECYCLER\NPROTECT\00327493.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\RECYCLER\NPROTECT\00327496.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\RECYCLER\NPROTECT\00327499.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\RECYCLER\NPROTECT\00327493.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\RECYCLER\NPROTECT\00327496.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\RECYCLER\NPROTECT\00327499.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\RECYCLER\NPROTECT\00327502.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\RECYCLER\NPROTECT\00327502.MOZ -> TrackingCookie.2o7 : No action taken.
:mozilla.11:C:\RECYCLER\NPROTECT\00327426.MOZ -> TrackingCookie.Atdmt : No action taken.
:mozilla.13:C:\RECYCLER\NPROTECT\00327472.MOZ -> TrackingCookie.Atdmt : No action taken.
:mozilla.15:C:\RECYCLER\NPROTECT\00327493.MOZ -> TrackingCookie.Atdmt : No action taken.
:mozilla.15:C:\RECYCLER\NPROTECT\00327496.MOZ -> TrackingCookie.Atdmt : No action taken.
:mozilla.15:C:\RECYCLER\NPROTECT\00327499.MOZ -> TrackingCookie.Atdmt : No action taken.
:mozilla.16:C:\RECYCLER\NPROTECT\00327502.MOZ -> TrackingCookie.Atdmt : No action taken.
:mozilla.6:C:\RECYCLER\NPROTECT\00327501.MOZ -> TrackingCookie.Atdmt : No action taken.
:mozilla.15:C:\RECYCLER\NPROTECT\00327502.MOZ -> TrackingCookie.Mediaplex : No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP704\A0226008.dll -> Trojan.Agent.agv : No action taken.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 5:28:19 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {491AF6C5-21F2-46E1-C653-3DF529127D7B} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-seg.gc.ca/applets/e ... et-epf.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by128fd.bay128.hotmail.msn.com/a ... Atchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

Have a Great Day!

Twyst
Twyst
Regular Member
 
Posts: 23
Joined: May 25th, 2007, 4:47 pm

Unread postby Twyst » May 29th, 2007, 5:33 pm

Sorry from the last entry this "Error In InetCpl Missing Entry: ClearMyTracksByProcess", should read "Error In InetCpl.cpl Missing Entry: ClearMyTracksByProcess".

Thanks Again

Twyst
Twyst
Regular Member
 
Posts: 23
Joined: May 25th, 2007, 4:47 pm

Unread postby Katana » May 30th, 2007, 12:14 pm

Hi Twyst,

Your logs are looking good now :D

Howdy! Well I had the same problem for both the updates you requested I do. The message I received was "The Windows Installer Service could not be accessed. This can occur if you are running Windows in Safe Mode, or if Windows Installer is not Correctly Installed. Contact Your Support Personel for Assistance."
Also I'm not sure if I should start a new topic for this but when I run CCleaner now I get a message "Error In InetCpl Missing Entry: ClearMyTracksByProcess", could this be related?

I will look into this for you and let you know, don't start any fresh topics as yet.

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Delete Files and Folders
Find and delete the following Files and Folders if present
C:\QooBox << This folder
C:\WINDOWS\Titan Poker setup.exe << This file


Kaspersky Online Scanner .
Use Internet Explorer
Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Please post the Kaspersky log in your reply

Hopefully this will be the last one :D
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware