Free Malware Removal Forum

[heartofalion]

i torrented something and it must have latched itself on and it went undetected by my anti virus and stuff well anyways here is my hjt log (BTW i did rename it)

I hate tried spybot smitfraudfix and many other programs in normal mode and safe mode and i cannot shake this virus....its the one that pops up webpages and flashes warnings from your toolbar. I just want to get rid of it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:34:53, on 6/9/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\iftuyszv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Steam\Steam.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ASUS\AASP\1.00.52\aaCenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\mgtools\analyze.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\iftuyszv.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {A0F06096-72DF-4465-BB02-D81E3A04E1B2} - \C:\Windows\system32\expo\mtcon66225.exe.dll (file missing)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Start++] "C:\Program Files\Brandon Paddock\Start++\Start++.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9041D59A-5365-417E-ADC1-98D5C7E2D849}: NameServer = 192.168.1.1,192.168.1.2
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - G:\CDBurnerXP\NMSAccessU.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6704 bytes

[maranatha]

Hi heartofalion
Welcome to MalWare Removal.
My name is maranatha
I am a Malware Removal University Undergrad and I will be helping you clean your system.
Please be patient between posts, ALL fixes and advice given is checked by a Malware removal expert before posting to you. So there may be a short delay between posts.
This insures that you will get the best advice for your situation and you can rest at ease that it is being checked by an experienced expert.
I will post back soon.
Thanks!
maranatha

[maranatha]

Hi heartofalion

I have tried smitfraudfix

Please do not run any specicalty tools unless told to do so.
You could cause harm to your system.

Please delete smitfraudfix.exe from your desktop.

i torrented something and it must have latched itself on

We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Programs and Features.

Now please do this.

Now download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Thanks
maranatha

[heartofalion]

I ran the smitfraudfix before because i was trying to disinfect it myself....I rarely come to forums and post my problems like this but this bug has got me stumped

Anyway i deleted the file i got the virus from (i did that soon after getting it) and delete smitfraudfix.exe and ran malwarebytes and here is the information you asked for

By the way thanks again so much for your help

Malwarebytes' Anti-Malware 1.14
Database version: 826

01:06:38 6/6/2008
mbam-log-6-6-2008 (01-06-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 108063
Time elapsed: 10 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\explore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\iexplorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\x.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\y.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\xxxvideo.hta (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\svchost32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\loader.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\internet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\Process.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:43:34, on 6/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\ASUS\AASP\1.00.52\aaCenter.exe
C:\mgtools\analyze.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A0F06096-72DF-4465-BB02-D81E3A04E1B2} - \C:\Windows\system32\expo\mtcon66225.exe.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Start++] "C:\Program Files\Brandon Paddock\Start++\Start++.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - G:\CDBurnerXP\NMSAccessU.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4605 bytes

As i post this it seems to be gone, but i had tried malwarebytes like 5 times before just now and it didnt work....was it thier 6-10-08 update?

[maranatha]

Hi heartofalion

tried malwarebytes like 5 times before just now and it didnt work....was it thier 6-10-08 update?

It's possible, you should always check for updates before running any programs like MBAM

OK please do this.

Windows Defender normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

- Open Windows Defender
- Select Tools and then General Settings
- Under Real Time Protection Options uncheck Turn on real-time protection
- Select Save
Don't forget to re-enable it, when your computer is clean.


WINPATROL
Right-click the running icon of Winpatrol in the system tray and choose exit.


Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {A0F06096-72DF-4465-BB02-D81E3A04E1B2} - \C:\Windows\system32\expo\mtcon66225.exe.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Windows\system32\expo <<Make sure you DO NOT delete the folder export.

Now please reboot and post one more New HJT log.

Did you download this? Just want to make sure you knowingly downloaded and installed it.
Brandon Paddock Start++
http://brandontools.com/

Please don't put your logs in a quote box, makes them harder to read.
Thanks.
Maranatha

[heartofalion]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:29:05, on 6/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\ASUS\AASP\1.00.52\aaCenter.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\mgtools\analyze.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - G:\CDBurnerXP\NMSAccessU.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4632 bytes


Yes i knowingly installed that program, it was for a task manager subsitute when i couldnt get mine to open because of smitfraud. I uninstalled it though. Thanks again for all your help. I followed all your instructions, is there anything else i need to do or am i clean

[maranatha]

Hi heartofalion
OK your HJT log is showing clean.

Lets make sure there is nothing lurking.
Please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now lets get a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
maranatha

[heartofalion]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, June 13, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, June 13, 2008 08:51:09
Records in database: 859070
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 71245
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:35:41


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1

The selected area was scanned.

********************************************************************************************************


Thank you again

[maranatha]

Hi heartofalion
I need to know if that is the full report that you received from Kaspersky?

You did not leave anything out, or delete anything from the report?

Thanks
maranatha

[heartofalion]

well i had only asked it to scan my C drive so i re did it with my whole pc (i have like a terabyte of space so it takes FOREVER) but here is the entire pc scan report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 14, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 14, 2008 12:34:22
Records in database: 863449
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 147306
Threat name: 7
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 03:23:13


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
F:\DL from FF\Fraps_2.9.4.rar Infected: Backdoor.Win32.Small.efu 1
F:\DL from FF\mirc631.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
F:\DL from FF\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
H:\Downloads\CLONECDv5.2.9.1\Slysoft.exe Infected: Backdoor.Win32.Hupigon.cdnk 1
H:\Downloads\Official Geek Squad MRI CD ISO\[BEST BUY] Official Geek Squad MRI CD.iso Infected: not-a-virus:AdWare.Win32.NewDotNet 1
H:\Shared\DLs from FF\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.281 1
H:\Shared\DLs from FF\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1

The selected area was scanned.


That is the entire report though

[maranatha]

Hi
Due to the illegally pirated software you have obtained I will not help you any farther.
I can not condone the use of P2P and Cracked software to have something that most people are willing to purchase legally, and not to mention the people that have worked many long hours to developer the software that they will not receive payment for by you.
This is the policy of this forum and is not negotiable."

This thread will be close.

maranatha

[heartofalion]

haha alright well thanks for all your help i still appreciate it and i respect your policy, hope you had a good fathers day