Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Folder won't delete

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Folder won't delete

Unread postby earlofsabden » April 29th, 2007, 5:21 pm

A folder that I created within "Program Files" to download stuff into has been infected.... When I run a virus scan through it, either full scan or just to that folder; the scan stops when it hits this folder and will progress no further.....

I cannot right click the folder to "delete".... when I do this the Windows Explorer Error Box pops up and I have to select... "Don't Send"........Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience and the PC refreshes itself back to the desktop.....

I cannot open "add/remove programs" from Control Panel.....

All pages opened from searches in google re-direct to advertisment sites....

EVEN taking the mouse over the folder WITHOUT clicking it makes the PC refresh the desktop.... So a remove on reboot program won't work either...

Limewire where I get stuff from to direct into this folder will NOT open either.....

How do I delete this infected folder.....

Any ideas would be helpful..... ta very muchly.
earlofsabden
Active Member
 
Posts: 11
Joined: April 29th, 2007, 5:11 pm
Location: Blackburn
Advertisement
Register to Remove

Unread postby random/random » May 4th, 2007, 3:17 pm

  • Download HJTsetup.exe from here
  • Double click on HJTsetup.exe to start the install of HijackThis by merijn
  • Click Next>
  • Click Next>
  • Click Next>
  • Select the option to Create a desktop icon
  • Click Next>
  • Click Install
  • Click Finish
  • Click Do a system scan and save a logfile
  • It will produce a log for you, post the contents of that log as a reply to this topic
  • Note: To run HijackThis again in future, double click on the HijackThis shortcut on your desktop
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Folder won't delete

Unread postby earlofsabden » May 6th, 2007, 7:58 am

Log File posted:

Logfile of HijackThis v1.99.1
Scan saved at 12:53:31, on 06/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - F:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - F:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &eBay Search - res://F:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://earlofsabden.spaces.live.com//Ph ... nPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5940666000
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MpService - Canon Inc - F:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Unknown owner - F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe (file missing)
earlofsabden
Active Member
 
Posts: 11
Joined: April 29th, 2007, 5:11 pm
Location: Blackburn

Unread postby random/random » May 6th, 2007, 8:49 am

You have two antivirus programs installed, antivir and AVG, this can cause conflicts and reduce the overall level of protection, so please uninstall one of them

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

No extra.txt appeared...... Only main.txt

Unread postby earlofsabden » May 6th, 2007, 10:38 am

Main.txt posted here.

"My Way" is the folder that won't delete, thanks: Neil.

2007-05-06 14:41:38 0 d-------- F:\Program Files\MyWay
Deckard's System Scanner v20070426.43
Run by Home PC on 2007-05-06 at 15:33:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Home PC.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 15:33:18, on 06/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\Documents and Settings\Home PC\Desktop\dss.exe
F:\PROGRA~1\Hijackthis\Home PC.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - F:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - F:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &eBay Search - res://F:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://earlofsabden.spaces.live.com//Ph ... nPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5940666000
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MpService - Canon Inc - F:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Unknown owner - F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe (file missing)


-- Files created between 2007-04-06 and 2007-05-06 -----------------------------

2007-05-06 15:08:07 0 d-------- F:\Documents and Settings\All Users\Application Data\Avg7
2007-05-06 13:26:48 0 d-------- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-05-06 13:26:13 0 d-------- F:\Program Files\Common Files\Wise Installation Wizard
2007-05-06 12:25:18 0 dr-h----- F:\Documents and Settings\Home PC\Recent
2007-05-01 22:54:38 0 --a------ F:\Documents and Settings\Home PC\my way
2007-05-01 22:54:06 0 --a------ F:\Documents and Settings\Home PC\my
2007-05-01 22:37:37 0 d-------- F:\Program Files\MSECache
2007-04-30 18:53:03 0 --a------ F:\Documents and Settings\Home PC\RMDIR
2007-04-29 19:57:20 0 d-------- F:\Program Files\DVDFab Decrypter 3
2007-04-29 16:55:27 0 d-------- F:\Program Files\GiPo@Utilities
2007-04-29 16:55:27 0 d-------- F:\Program Files\Common Files\Gibinsoft Shared
2007-04-29 16:55:21 0 d-------- F:\Documents and Settings\All Users\Templates
2007-04-28 22:55:12 5242880 --a------ F:\Documents and Settings\Home PC\ntuser.dat
2007-04-28 22:07:35 0 d-------- F:\Program Files\SUPERAntiSpyware
2007-04-28 22:07:35 0 d-------- F:\Documents and Settings\Home PC\Application Data\SUPERAntiSpyware.com
2007-04-28 21:18:57 0 d-------- F:\!KillBox
2007-04-20 15:50:36 233472 --a------ F:\Documents and Settings\LocalService\ntuser.dat
2007-04-17 23:12:39 0 d-------- F:\Program Files\Incomplete
2007-04-17 23:12:10 0 d-------- F:\Documents and Settings\Home PC\Incomplete
2007-04-17 23:11:37 0 d-------- F:\Documents and Settings\Home PC\Application Data\LimeWire
2007-04-17 23:11:10 0 d-------- F:\Program Files\LimeWire
2007-04-06 17:20:01 0 d-------- F:\Documents and Settings\Home PC\Application Data\Syntrillium
2007-04-06 17:18:15 0 d-------- F:\Program Files\coolpro2


-- Find3M Report ---------------------------------------------------------------

2007-05-06 14:41:38 0 d-------- F:\Program Files\MyWay
2007-05-06 12:23:08 0 d-------- F:\Program Files\GIMP-2.0
2007-05-06 12:21:34 0 d-------- F:\Program Files\OpenOffice.org 2.1
2007-05-06 12:17:17 0 d-------- F:\Program Files\NetDrive
2007-05-06 12:09:35 0 d-------- F:\Program Files\Microsoft ActiveSync
2007-05-06 12:07:00 0 d-------- F:\Documents and Settings\Home PC\Application Data\Intel
2007-05-06 12:04:26 0 d-------- F:\Program Files\Cimaware
2007-05-06 12:02:01 0 d-------- F:\Program Files\Avery Wizard 3.0
2007-05-06 11:59:06 0 d-------- F:\Program Files\BitTorrent
2007-04-29 21:21:57 454 --a------ F:\Program Files\Shortcut to MyWay.lnk
2007-04-29 11:52:20 0 d-------- F:\Program Files\Google
2007-04-02 14:40:56 0 d-------- F:\Program Files\Remove on Reboot
2007-03-20 18:29:45 0 d-------- F:\Program Files\EmbossIt
2007-03-19 20:24:47 0 d-------- F:\Documents and Settings\Home PC\Application Data\gtk-2.0
2007-03-18 22:57:02 0 d-------- F:\Documents and Settings\Home PC\Application Data\MoyeaFLV2Video
2007-03-18 22:45:57 318 --a------ F:\Program Files\ReplayConverterLog.log
2007-03-18 22:37:35 18477 --a------ F:\Program Files\irunin.ini
2007-03-18 22:37:13 0 d-------- F:\Program Files\App
2007-03-18 22:37:11 0 d-------- F:\Program Files\plugins
2007-03-18 22:37:09 0 d-------- F:\Program Files\Sys
2007-03-18 22:36:47 737280 --a------ F:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-03-18 22:36:47 15938 --a------ F:\Program Files\irunin.lng
2007-03-18 22:36:47 37508 --a------ F:\Program Files\irunin.dat
2007-03-18 22:36:47 8134 --a------ F:\Program Files\irunin.bmp
2007-03-18 22:33:10 0 d-------- F:\Program Files\Replay Converter
2007-03-11 15:17:09 0 d-------- F:\Documents and Settings\Home PC\Application Data\.bittorrent
2007-03-10 23:28:43 0 d--h----- F:\Program Files\InstallShield Installation Information
2007-03-09 08:12:32 27648 --ahs---- F:\WINDOWS\system32\AVSredirect.dll
2007-03-09 01:35:58 217088 --a------ F:\Program Files\RegisterCodecs.exe <Not Verified; Applian Technologies; Register Codecs>
2007-03-09 01:24:01 1165824 --a------ F:\Program Files\ReplayConverter.exe <Not Verified; Applian Technologies, Inc.; Replay Converter>
2007-03-08 16:36:59 0 d-------- F:\Program Files\Common Files\Ahead
2007-03-08 16:35:54 0 d-------- F:\Documents and Settings\Home PC\Application Data\Ahead
2007-03-08 16:33:43 0 d-------- F:\Program Files\Nero
2007-03-08 16:30:38 0 d-------- F:\Program Files\Ahead
2007-03-08 15:25:06 2508 --a------ F:\Documents and Settings\Home PC\Application Data\$_hpcst$.hpc
2007-03-07 00:59:20 4478 --a------ F:\Program Files\InstallFFdshow.reg
2007-03-06 10:13:09 10752 --a------ F:\WINDOWS\system32\ff_vfw.dll
2007-03-04 12:55:55 57411 --a------ F:\Program Files\rv20.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2007-03-04 12:55:55 49216 --a------ F:\Program Files\rv10.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2007-03-04 12:55:55 49152 --a------ F:\Program Files\RLOFRDec.ax <Not Verified; RadLight; RadLight RLOFRDec>
2007-03-04 12:55:55 98304 --a------ F:\Program Files\RLMPCDec.ax <Not Verified; RadLight; RadLight MPC DirectShow Filter>
2007-03-04 12:55:55 139264 --a------ F:\Program Files\RLAPEDec.ax <Not Verified; RadLight; RadLight APE Decoder>
2007-03-04 12:55:53 421888 --a------ F:\Program Files\RealMediaSplitter.ax <Not Verified; Gabest; RealMedia Splitter>
2007-03-04 12:55:53 155648 --a------ F:\Program Files\ralf.dll <Not Verified; RealNetworks, Inc.; RealAudio Lossless Format>
2007-03-04 12:55:53 72192 --a------ F:\Program Files\ra32clv1.dll <Not Verified; Iterated Systems, Inc.; RealVideo (Fractal) Codec>
2007-03-04 12:55:53 86016 --a------ F:\Program Files\QuickTime.ax <Not Verified; Cyberlink; Cyberlink CLQTSrc>
2007-03-04 12:55:53 123392 --a------ F:\Program Files\pncrt.dll <Not Verified; Real Networks, Inc; RealPlayer/RealServer>
2007-03-04 12:55:53 172032 --a------ F:\Program Files\OptimFROG.dll <Not Verified; Florin Ghido, FlorinGhido@yahoo.com; OptimFROG Lossless/DualStream Audio Compression, http://LosslessAudioCompression.com>
2007-03-04 12:55:52 58368 --a------ F:\Program Files\ogm.dll
2007-03-04 12:55:49 66048 --a------ F:\Program Files\mp4.dll
2007-03-04 12:55:49 45568 --a------ F:\Program Files\mkzlib.dll
2007-03-04 12:55:48 100864 --a------ F:\Program Files\mkx.dll
2007-03-04 12:55:48 23552 --a------ F:\Program Files\mkunicode.dll
2007-03-04 12:55:48 406016 --a------ F:\Program Files\libmplayer.dll
2007-03-04 12:55:48 126976 --a------ F:\Program Files\libmpeg2_ff.dll
2007-03-04 12:55:47 3128320 --a------ F:\Program Files\libavcodec.dll
2007-03-04 12:55:47 241723 --a------ F:\Program Files\hxltcolor.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2007-03-04 12:55:47 165376 --a------ F:\Program Files\HFE.exe
2007-03-04 12:55:46 389120 --a------ F:\Program Files\FLVSplitter.ax <Not Verified; Gabest; FLV Splitter>
2007-03-04 12:55:46 6144 --a------ F:\Program Files\FLT_ffdshow.dll
2007-03-04 12:55:45 1435136 --a------ F:\Program Files\ffmpeg2theora.exe
2007-03-04 12:55:44 547 --a------ F:\Program Files\ffdshow.ax.manifest
2007-03-04 12:55:43 2174976 --a------ F:\Program Files\ffdshow.ax <Not Verified; ; ffdshow>
2007-03-04 12:55:43 26112 --a------ F:\Program Files\ff_wmv9.dll
2007-03-04 12:55:43 57344 --a------ F:\Program Files\ff_unrar.dll
2007-03-04 12:55:43 117248 --a------ F:\Program Files\ff_tremor.dll
2007-03-04 12:55:43 170496 --a------ F:\Program Files\ff_theora.dll
2007-03-04 12:55:42 135168 --a------ F:\Program Files\ff_samplerate.dll
2007-03-04 12:55:42 153088 --a------ F:\Program Files\ff_realaac.dll
2007-03-04 12:55:42 159744 --a------ F:\Program Files\ff_libmad.dll
2007-03-04 12:55:42 397312 --a------ F:\Program Files\ff_libfaad2.dll
2007-03-04 12:55:42 167936 --a------ F:\Program Files\ff_libdts.dll
2007-03-04 12:55:42 52736 --a------ F:\Program Files\ff_liba52.dll
2007-03-04 12:55:41 135168 --a------ F:\WINDOWS\system32\DSKernel2.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS Multimedia Filter Pack>
2007-03-04 12:55:41 228864 --a------ F:\Program Files\ff_kernelDeint.dll
2007-03-04 12:55:41 160768 --a------ F:\Program Files\dxr.dll
2007-03-04 12:55:41 262144 --a------ F:\Program Files\dtsac3source.ax <Not Verified; Gabest; DTS/AC3 Sorce Filter>
2007-03-04 12:55:41 335872 --a------ F:\Program Files\drvc.dll <Not Verified; ; RealVideo 8+9+10+HFE2.1 (32-bit)>
2007-03-04 12:55:41 176195 --a------ F:\Program Files\drv2.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2007-03-04 12:55:40 719872 --a------ F:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2007-03-04 12:55:40 102464 --a------ F:\Program Files\drv1.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2007-03-04 12:55:40 20992 --a------ F:\Program Files\dnet3260.dll <Not Verified; RealNetworks, Inc.; DolbyNet(tm) Audio Codec for RealAudio(tm) (32-bit)>
2007-03-04 12:55:40 36864 --a------ F:\Program Files\ddnt3260.dll <Not Verified; RealNetworks, Inc.; DolbyNet(tm) Audio Codec for RealAudio(tm) (32-bit)>
2007-03-04 12:55:32 65602 --a------ F:\Program Files\cook3260.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2007-03-04 12:55:32 65602 --a------ F:\Program Files\cook.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2007-03-04 12:55:32 253952 --a------ F:\Program Files\cdxareader.ax <Not Verified; Gabest; CDXA Reader Filter>
2007-03-04 12:55:31 308224 --a------ F:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2007-03-04 12:55:31 52224 --a------ F:\Program Files\avi.dll
2007-03-04 12:55:30 923648 --a------ F:\Program Files\VSFilter.dll <Not Verified; Gabest; VSFilter>
2007-03-04 12:55:30 77889 --a------ F:\Program Files\atrc.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2007-03-04 12:55:30 516096 --a------ F:\Program Files\ac3filter.ax <Not Verified; ; AC3Filter>
2007-03-04 12:55:30 57383 --a------ F:\Program Files\28_83260.dll <Not Verified; RealNetworks, Inc.; 28.8 Audio Codec for RealAudio(tm) (32-bit)>
2007-03-04 12:55:30 98343 --a------ F:\Program Files\14_43260.dll <Not Verified; RealNetworks, Inc.; 14.4 Audio Codec for RealAudio(tm) (32-bit)>
2007-03-04 12:55:29 237568 --a------ F:\Program Files\vp7dec.ax <Not Verified; On2.com Inc.; VP7 Decompression Filter>
2007-03-04 12:55:29 327680 --a------ F:\Program Files\vp6dec.ax <Not Verified; On2.com Inc.; VP6 Decompression Filter>
2007-03-04 12:55:29 73728 --a------ F:\Program Files\ts.dll
2007-03-04 12:55:29 205824 --a------ F:\Program Files\TomsMoComp_ff.dll
2007-03-04 12:55:28 496640 --a------ F:\Program Files\splitter.ax <Not Verified; ; Haali Media Splitter>
2007-03-04 12:55:28 106561 --a------ F:\Program Files\sipr3260.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2007-03-04 12:55:28 106561 --a------ F:\Program Files\sipr.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2007-03-04 12:55:28 49221 --a------ F:\Program Files\rv40.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2007-03-04 12:55:28 49221 --a------ F:\Program Files\rv30.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{22D8E815-4A5E-4DFB-845E-AAB64207F5BD} F:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} F:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} f:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="F:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="F:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Yahoo! Pager"="\"F:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YahooMessenger.exe\" -quiet"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="F:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="kdwon.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^Home PC^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
"backup"="F:\\WINDOWS\\pss\\OpenOffice.org 2.1.lnkStartup"
"location"="Startup"
"command"="F:\\PROGRA~1\\OpenOffice.org 2.1\\program\\quickstart.exe "
"item"="OpenOffice.org 2.1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="F:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"F:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-06 at 15:34:01 ---------
earlofsabden
Active Member
 
Posts: 11
Joined: April 29th, 2007, 5:11 pm
Location: Blackburn

Unread postby random/random » May 6th, 2007, 10:45 am

Please also post extra.txt
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

extra

Unread postby earlofsabden » May 6th, 2007, 10:50 am

extra.txt didn't appear as you stated..... So I deleted it from the desktop and re-downloaded it to the desktop, ran the process but ONLY main.txt was there, extra.txt wasn't minimized.

Please advise?
earlofsabden
Active Member
 
Posts: 11
Joined: April 29th, 2007, 5:11 pm
Location: Blackburn

Unread postby random/random » May 6th, 2007, 11:12 am

To assist diagnosis I would like a list of installed programs.
  • Open HijackThis and select Open the Misc Tools section
  • Click on the Open Uninstall Manager…
  • Select the Save List button
  • I suggest that you accept the default name of uninstall_list.txt and save the file to your desktop
  • Close HijackThis


Post back with the uninstall list
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Unread postby tyciol » May 7th, 2007, 5:26 am

How do viruses stop files being deleted? I know 'read only' can't be deleted so maybe they enable that. Or, the virus is running ithin that location and you can't delete a running file. I guess a bonus is that you know it's in there so you'll know where to look while scanning.
tyciol
Active Member
 
Posts: 5
Joined: May 7th, 2007, 4:55 am
Location: Canada

Unread postby random/random » May 7th, 2007, 7:13 am

Can you post the uninstall list?
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Sorry it took a while!

Unread postby earlofsabden » May 8th, 2007, 11:58 am

The Uninstall list as required, thanks.... Neil.

Ad-Aware SE Professional
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Avery Wizard 3.0
Avira AntiVir PersonalEdition Classic
Belarc Advisor 7.2
Canon MultiPASS Suite 4.00
CCleaner (remove only)
Cool Edit Pro 2.0
DataRecall
DD PlayCam
Driving Test Success 2006/7
DVDFab Decrypter 3.0.9.6
eBay Toolbar
GiPo@MoveOnBoot 1.9.5
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
GTK+ 2.10.6-1 runtime environment
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
ImageRecall - Full Version
Intel(R) PROSet/Wireless Software
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Ultra Edition
NVIDIA Audio Driver
NVIDIA nForce Utilities
NVIDIA Windows 2000/XP Display Drivers
NVIDIA Windows 2000/XP nForce Drivers
Office Live Image Uploader
PowerDVD
Quick Screen Capture 3.0
RealPlayer
Remove on Reboot Shell Extension
Replay Converter 2.60 B
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SUPERAntiSpyware Free Edition
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
VideoCAM Eye
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
Yahoo! Messenger
earlofsabden
Active Member
 
Posts: 11
Joined: April 29th, 2007, 5:11 pm
Location: Blackburn

Unread postby random/random » May 8th, 2007, 12:16 pm

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    Code: Select all
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic, along with the smitfraudfix log and a new HijackThis log
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Ok 3 scans are listed below

Unread postby earlofsabden » May 8th, 2007, 12:48 pm

Rapport.txt

SmitFraudFix v2.177

Scan done at 17:27:20.79, 08/05/2007
Run from F:\Documents and Settings\Home PC\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
F:\WINDOWS\system32\cmd.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» F:\


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» F:\Documents and Settings\Home PC


»»»»»»»»»»»»»»»»»»»»»»»» F:\Documents and Settings\Home PC\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» F:\DOCUME~1\HOMEPC~1\FAVORI~1

F:\DOCUME~1\HOMEPC~1\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» F:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdwon.exe"

kdwon.exe detected !


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce MCP Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7F871561-25B4-4694-95E0-8D7FFB470567}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7F871561-25B4-4694-95E0-8D7FFB470567}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7F871561-25B4-4694-95E0-8D7FFB470567}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Fsbl.exe Scan:

05/08/07 17:33:03 [Info]: BlackLight Engine 1.0.61 initialized
05/08/07 17:33:03 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/08/07 17:33:03 [Note]: 7019 4
05/08/07 17:33:03 [Note]: 7005 0
05/08/07 17:33:12 [Note]: 7006 0
05/08/07 17:33:12 [Note]: 7022 0
05/08/07 17:33:13 [Note]: 7011 2016
05/08/07 17:33:13 [Note]: 7026 0
05/08/07 17:33:13 [Note]: 7026 0
05/08/07 17:33:17 [Note]: FSRAW library version 1.7.1021
05/08/07 17:33:17 [Note]: 2000 1012
05/08/07 17:38:58 [Info]: Hidden file: f:\WINDOWS\system32\kdwon.exe
05/08/07 17:38:58 [Note]: 7002 32
05/08/07 17:38:58 [Note]: 7003 1
05/08/07 17:38:58 [Note]: 10002 1
05/08/07 17:44:02 [Note]: 7007 0


HiJackThis Scan:

Ad-Aware SE Professional
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Avery Wizard 3.0
Avira AntiVir PersonalEdition Classic
Belarc Advisor 7.2
Canon MultiPASS Suite 4.00
CCleaner (remove only)
Cool Edit Pro 2.0
DataRecall
DD PlayCam
Driving Test Success 2006/7
DVDFab Decrypter 3.0.9.6
eBay Toolbar
GiPo@MoveOnBoot 1.9.5
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
GTK+ 2.10.6-1 runtime environment
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
ImageRecall - Full Version
Intel(R) PROSet/Wireless Software
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Ultra Edition
NVIDIA Audio Driver
NVIDIA nForce Utilities
NVIDIA Windows 2000/XP Display Drivers
NVIDIA Windows 2000/XP nForce Drivers
Office Live Image Uploader
PowerDVD
Quick Screen Capture 3.0
RealPlayer
Remove on Reboot Shell Extension
Replay Converter 2.60 B
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SUPERAntiSpyware Free Edition
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
VideoCAM Eye
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
Yahoo! Messenger


Thanks.... Neil.
earlofsabden
Active Member
 
Posts: 11
Joined: April 29th, 2007, 5:11 pm
Location: Blackburn

Unread postby random/random » May 8th, 2007, 1:03 pm

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
For Internet Explorer 4.x - 6.x
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Please post:
  1. c:\rapport.txt
  2. AVG-antispyware log
  3. A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Results of Scan's

Unread postby earlofsabden » May 8th, 2007, 5:28 pm

Three scan's... followed to the letter;

Rapport.txt;

SmitFraudFix v2.177

Scan done at 21:32:44.18, 08/05/2007
Run from F:\Documents and Settings\Home PC\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost #***Inserted By STOPzilla***

127.0.0.1 2005-search.com # ***Inserted By STOPzilla***
127.0.0.1 600pics.com # ***Inserted By STOPzilla***
127.0.0.1 a1.interclick.com # ***Inserted By STOPzilla***
127.0.0.1 absolutepics.net # ***Inserted By STOPzilla***
127.0.0.1 ad.yieldmanager.com # ***Inserted By STOPzilla***
127.0.0.1 alex.fileburst.com # ***Inserted By STOPzilla***
127.0.0.1 all-tgp.org # ***Inserted By STOPzilla***
127.0.0.1 all-websearch.com # ***Inserted By STOPzilla***
127.0.0.1 apps.deskwizz.com # ***Inserted By STOPzilla***
127.0.0.1 awmdabest.com # ***Inserted By STOPzilla***
127.0.0.1 b.casalemedia.com # ***Inserted By STOPzilla***
127.0.0.1 bailefunk.com # ***Inserted By STOPzilla***
127.0.0.1 barteros.net # ***Inserted By STOPzilla***
127.0.0.1 best4all.net # ***Inserted By STOPzilla***
127.0.0.1 besthardcore.net # ***Inserted By STOPzilla***
127.0.0.1 best-targeted-traffic.com # ***Inserted By STOPzilla***
127.0.0.1 bins.elitemediagroup.net # ***Inserted By STOPzilla***
127.0.0.1 bn.i-ru.net # ***Inserted By STOPzilla***
127.0.0.1 bundleware.com # ***Inserted By STOPzilla***
127.0.0.1 burnsrecyclinginc.com # ***Inserted By STOPzilla***
127.0.0.1 campaigns.interclick.com # ***Inserted By STOPzilla***
127.0.0.1 clickfast.biz # ***Inserted By STOPzilla***
127.0.0.1 code.jcash.biz # ***Inserted By STOPzilla***
127.0.0.1 code.trasferimento.biz # ***Inserted By STOPzilla***
127.0.0.1 command.adservs.com # ***Inserted By STOPzilla***
127.0.0.1 content.dollarrevenue.com # ***Inserted By STOPzilla***
127.0.0.1 content.exetraffic.com # ***Inserted By STOPzilla***
127.0.0.1 content2.dollarrevenue.com # ***Inserted By STOPzilla***
127.0.0.1 coolwebsearch.com # ***Inserted By STOPzilla***
127.0.0.1 cumhereteens.com # ***Inserted By STOPzilla***
127.0.0.1 cyber-search.biz # ***Inserted By STOPzilla***
127.0.0.1 ddh24.com # ***Inserted By STOPzilla***
127.0.0.1 dedmazai.com # ***Inserted By STOPzilla***
127.0.0.1 dnv-counter.com # ***Inserted By STOPzilla***
127.0.0.1 download.abetterinternet.com # ***Inserted By STOPzilla***
127.0.0.1 download.accessmedia.tv # ***Inserted By STOPzilla***
127.0.0.1 download.jupitersatellites.biz # ***Inserted By STOPzilla***
127.0.0.1 exeloads.info # ***Inserted By STOPzilla***
127.0.0.1 faccesborrate.com # ***Inserted By STOPzilla***
127.0.0.1 flavinha.com # ***Inserted By STOPzilla***
127.0.0.1 forlink.biz # ***Inserted By STOPzilla***
127.0.0.1 fullbizzone.com # ***Inserted By STOPzilla***
127.0.0.1 game4all.biz # ***Inserted By STOPzilla***
127.0.0.1 get-access.host.sk # ***Inserted By STOPzilla***
127.0.0.1 go-pic.com # ***Inserted By STOPzilla***
127.0.0.1 granjerascachondas.com # ***Inserted By STOPzilla***
127.0.0.1 heretofind.com # ***Inserted By STOPzilla***
127.0.0.1 hqthumbz.com # ***Inserted By STOPzilla***
127.0.0.1 it.online-more.com # ***Inserted By STOPzilla***
127.0.0.1 krovalidajop.com # ***Inserted By STOPzilla***
127.0.0.1 l.mezzicodec.net # ***Inserted By STOPzilla***
127.0.0.1 lust-mature.com # ***Inserted By STOPzilla***
127.0.0.1 mikos.paraisoasiatico.com # ***Inserted By STOPzilla***
127.0.0.1 mmm.elitemediagroup.net # ***Inserted By STOPzilla***
127.0.0.1 more-pages.com # ***Inserted By STOPzilla***
127.0.0.1 morteen.net # ***Inserted By STOPzilla***
127.0.0.1 moviecsodecs.com # ***Inserted By STOPzilla***
127.0.0.1 msmn.com # ***Inserted By STOPzilla***
127.0.0.1 musah.info # ***Inserted By STOPzilla***
127.0.0.1 netincap.com # ***Inserted By STOPzilla***
127.0.0.1 newsh.com # ***Inserted By STOPzilla***
127.0.0.1 niuqennaois.com # ***Inserted By STOPzilla***
127.0.0.1 nude-teen-bodies.com # ***Inserted By STOPzilla***
127.0.0.1 onlyhotlinks.com # ***Inserted By STOPzilla***
127.0.0.1 on-search.com # ***Inserted By STOPzilla***
127.0.0.1 picshunter.us # ***Inserted By STOPzilla***
127.0.0.1 picslab.com # ***Inserted By STOPzilla***
127.0.0.1 prevedtraf.biz # ***Inserted By STOPzilla***
127.0.0.1 promo.dollarrevenue.com # ***Inserted By STOPzilla***
127.0.0.1 redirect.msupdate.net # ***Inserted By STOPzilla***
127.0.0.1 rogalik.net # ***Inserted By STOPzilla***
127.0.0.1 search4www.com # ***Inserted By STOPzilla***
127.0.0.1 search-biz.biz # ***Inserted By STOPzilla***
127.0.0.1 searchforit.com # ***Inserted By STOPzilla***
127.0.0.1 searchx.cc # ***Inserted By STOPzilla***
127.0.0.1 sex-pics.biz # ***Inserted By STOPzilla***
127.0.0.1 sexyfaceplace.com # ***Inserted By STOPzilla***
127.0.0.1 snow410.info # ***Inserted By STOPzilla***
127.0.0.1 software.topinstalls.com # ***Inserted By STOPzilla***
127.0.0.1 sp2admin.biz # ***Inserted By STOPzilla***
127.0.0.1 surubanet.com # ***Inserted By STOPzilla***
127.0.0.1 teadis.net # ***Inserted By STOPzilla***
127.0.0.1 teen-biz.com # ***Inserted By STOPzilla***
127.0.0.1 teen-fantazi.com # ***Inserted By STOPzilla***
127.0.0.1 teenygirlshome.com # ***Inserted By STOPzilla***
127.0.0.1 traff5all.biz # ***Inserted By STOPzilla***
127.0.0.1 traffbest.biz # ***Inserted By STOPzilla***
127.0.0.1 traffbucks.biz # ***Inserted By STOPzilla***
127.0.0.1 traffmoney.biz # ***Inserted By STOPzilla***
127.0.0.1 ukstories.net # ***Inserted By STOPzilla***
127.0.0.1 ultra-search.biz # ***Inserted By STOPzilla***
127.0.0.1 uniq-soft.com # ***Inserted By STOPzilla***
127.0.0.1 vivisexy.com # ***Inserted By STOPzilla***
127.0.0.1 wearehosters.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.0websearch.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.600pics.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.all-tgp.org # ***Inserted By STOPzilla***
127.0.0.1 http://www.all-websearch.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.bailefunk.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.best4all.net # ***Inserted By STOPzilla***
127.0.0.1 http://www.besthardcore.net # ***Inserted By STOPzilla***
127.0.0.1 http://www.bundleware.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.burnsrecyclinginc.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.coolwebsearch.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.dedmazai.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.flavinha.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.granjerascachondas.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.heretofind.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.hqthumbz.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.lust-mature.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.mikos.paraisoasiatico.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.more-pages.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.msmn.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.msnwm.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.newsh.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.nude-teens-bodies.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.onli-ne.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.onlyhotlinks.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.on-search.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.picshunter.us # ***Inserted By STOPzilla***
127.0.0.1 http://www.picslab.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.procounter.biz # ***Inserted By STOPzilla***
127.0.0.1 http://www.search4www.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.searchforit.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.searchx.cc # ***Inserted By STOPzilla***
127.0.0.1 http://www.sex-pics.biz # ***Inserted By STOPzilla***
127.0.0.1 http://www.sp2admin.biz # ***Inserted By STOPzilla***
127.0.0.1 http://www.spamcatchero.biz # ***Inserted By STOPzilla***
127.0.0.1 http://www.surubanet.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.teen-biz.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.teen-fantazi.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.teenygirlshome.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.traff4ppc.biz # ***Inserted By STOPzilla***
127.0.0.1 http://www.vivisexy.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.voghp.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.wearehosters.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.ysbweb.com # ***Inserted By STOPzilla***
127.0.0.1 http://www.zgallery.us # ***Inserted By STOPzilla***
127.0.0.1 http://www.zonebest.com # ***Inserted By STOPzilla***
127.0.0.1 ybbwxlxytz.biz # ***Inserted By STOPzilla***
127.0.0.1 yepjnddqpq.biz # ***Inserted By STOPzilla***
127.0.0.1 yhvoo.eseconsult.info # ***Inserted By STOPzilla***
127.0.0.1 yougoodheer.com # ***Inserted By STOPzilla***
127.0.0.1 ysbweb.com # ***Inserted By STOPzilla***
127.0.0.1 z-advertise.com # ***Inserted By STOPzilla***
127.0.0.1 zchxsikpgz.biz # ***Inserted By STOPzilla***
127.0.0.1 zgallery.us # ***Inserted By STOPzilla***
127.0.0.1 zonebest.com # ***Inserted By STOPzilla***

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7F871561-25B4-4694-95E0-8D7FFB470567}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7F871561-25B4-4694-95E0-8D7FFB470567}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7F871561-25B4-4694-95E0-8D7FFB470567}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


AVG Spyware Scan;

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:20:28 08/05/2007

+ Scan result:



F:\Program Files\HbTools\HBTV\uninstaller.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{4C7BFA3B-2596-4FB3-A36D-55336C134842}\RP81\A0022264.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{192C5B4A-3EFD-40C7-9F99-C472DEB8EFC0} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{192C5B4A-3EFD-40C7-9F99-C472DEB8EFC0} -> Adware.Generic : Cleaned with backup (quarantined).
F:\Program Files\HbTools\Bin\4.8.4.0\Cml.exe -> Adware.HotBar : Cleaned with backup (quarantined).
F:\Program Files\HbTools\Bin\4.8.4.0\HbtCoreSrv.dll -> Adware.HotBar : Cleaned with backup (quarantined).
F:\Program Files\HbTools\Bin\4.8.4.0\HbtGuard.exe -> Adware.HotBar : Cleaned with backup (quarantined).
F:\Program Files\HbTools\Bin\4.8.4.0\HbtHostOE.dll -> Adware.Hotbar : Cleaned with backup (quarantined).
F:\Program Files\HbTools\Bin\4.8.4.0\HbtHostOL.dll -> Adware.HotBar : Cleaned with backup (quarantined).
F:\Program Files\HbTools\Bin\4.8.4.0\HbtInstIE.dll -> Adware.HotBar : Cleaned with backup (quarantined).
F:\Program Files\HbTools\Bin\4.8.4.0\HbtOEAddOn.exe -> Adware.HotBar : Cleaned with backup (quarantined).
F:\Program Files\HbTools\Bin\4.8.4.0\HbtSrv.exe -> Adware.Hotbar : Cleaned with backup (quarantined).
F:\Program Files\HbTools\Bin\4.8.4.0\HbtToolbar.dll -> Adware.Hotbar : Cleaned with backup (quarantined).
F:\Program Files\HbTools\Bin\4.8.4.0\HbtWallpaper.dll -> Adware.Hotbar : Cleaned with backup (quarantined).
F:\Program Files\HbTools\HBTV\HBTVHelper.dll -> Adware.HotBar : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{4C7BFA3B-2596-4FB3-A36D-55336C134842}\RP70\A0019566.exe -> Adware.HotBar : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{4C7BFA3B-2596-4FB3-A36D-55336C134842}\RP81\A0022263.dll -> Adware.HotBar : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{4C7BFA3B-2596-4FB3-A36D-55336C134842}\RP82\A0022384.exe -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp\CLSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp\CurVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtCoreSrv.HbtCoreServices -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtCoreSrv.HbtCoreServices.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtCoreSrv.HbtCoreServices\CLSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtCoreSrv.HbtCoreServices\CurVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtCoreSrv.LfgAx -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtCoreSrv.LfgAx.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtCoreSrv.LfgAx\CLSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtCoreSrv.LfgAx\CurVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtHostOL.HbtMailAnim -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtHostOL.HbtMailAnim.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtHostOL.HbtMailAnim\CLSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtHostOL.HbtMailAnim\CurVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtHostOL.HbtWebmailSend -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtHostOL.HbtWebmailSend.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtHostOL.HbtWebmailSend\CLSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtHostOL.HbtWebmailSend\CurVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtSrv.HbtCoreServices -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtSrv.HbtCoreServices.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtSrv.HbtCoreServices\CLSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtSrv.HbtCoreServices\CurVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtToolbar.HbtHtmlMenuUI -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtToolbar.HbtHtmlMenuUI.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtToolbar.HbtHtmlMenuUI\CLSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtToolbar.HbtHtmlMenuUI\CurVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtToolbar.HbtToolbarCtl -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtToolbar.HbtToolbarCtl.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtToolbar.HbtToolbarCtl\CLSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbtToolbar.HbtToolbarCtl\CurVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\HbTools -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\HbTools\HbTools -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\HbTools\HbTools\Install -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\HbTools\HbTools\MachineInfo -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\HbTools\HbTools\Mail -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\HbTools\HbTools\PI -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\HbTools\HbTools\PI\3.2 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\HbTools\HbTools\Updates -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\HbTools\HbTools\Upgrade -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\HbTools\Install -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\HbTools\Install\CmpMap -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Common -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Common\Time -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Common\Updates -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\EUI -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\HtmlPPP -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\ImagesHistory -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Install -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\MachineInfo -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\MultiUrl -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\PI -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\PI\3.2 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\keren -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\nobbar -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\salespartion -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg860 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg861 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg887 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg888 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg889 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg910 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg914 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg915 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg940 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg941 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg942 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg943 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg946 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg947 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg948 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg955 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg956 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Sample\Hist\sg957 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\UserInfo -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\Weather -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\dynamic -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\dynamicFail -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\links -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\mail -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\options -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HbTools\updates -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HostOI -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\HostOI\Updates -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Install -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Install\Icons -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Install\Links -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Time -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Time\HostIE -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Time\HostIE\Updates -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Time\HostOI -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Time\HostOI\Updates -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Time\HostOL -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\Time\HostOL\Updates -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\hostol -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\hostol\Mail -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\hostol\Updates -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-329068152-2146984249-1003\Software\HbTools\hostol\soho -> Adware.HotBar : Cleaned with backup (quarantined).


::Report end



HiJackThis Scan;

Logfile of HijackThis v1.99.1
Scan saved at 22:22:02, on 08/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
F:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - F:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - F:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &eBay Search - res://F:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://earlofsabden.spaces.live.com//Ph ... nPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5940666000
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MpService - Canon Inc - F:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Unknown owner - F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe (file missing)



Thanks..... Neil.
earlofsabden
Active Member
 
Posts: 11
Joined: April 29th, 2007, 5:11 pm
Location: Blackburn
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware