Cowabanga, BraveSentry, ActiveX and Look2Me are causing me problems&nb

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis™ Logs Go Here

Cowabanga, BraveSentry, ActiveX and Look2Me are causing me problems&nb, I've done everything I can think of, Could it be time to re-format

Options

Retta View Member Profile	Aug 22 2006, 01:26 AM Post #1
Member Posts: 33 OS: XP	My problem is fairly simple, one of my younger siblings downloaded a game called “Cowbanga” onto our computer. Now it has a pretty much continuous stream of pop-ups and sometimes will sudenly decide to shut down. I have used 'Spy-Bot: Search and Destroy', 'ewido', 'Ad-aware SE Personal', 'CleanUp!' and 'CWShredder', and they have helped. But they havent helped nearly enough. I tried the 'A-Squared' and that shut down every time I tried to delete things. Also, that Panda thing wouldnt start downloading. I have also tried ‘Trojan Hunter’ which seems to be doing what it’s supposed to, but is having trouble keeping these things off my computer. ‘Spy-Bot – Search and Destroy’ should also do that but has failed to so far. I did what you told me to in the direction as much as I could. My computer wouldn’t let me do either of the online scans. Upon Figuring out that they werent going to work I moved on to checking for updates for my computer. This also failed, though it was no surprise because we havent been able to correctly download updates for some time now. Following your steps, I rebooted and, though it was better, I was still getting pop-ups and still having things detected on the scans. Also, every time I turn my computer on/reboot it it comes up with an error: the title is: 'RUNDLL' then it says: 'Error loading w1d952f5.dll The specific module could not be found.' I know I had all of these threats on my computer, but I’m not sure if they are still there: Cowabanga Mirar BraveSentry WinAntiVirus2006 ActiveX System Doctor 2006 Look2Me QooLogic SpySheriff Zedo Among several others… Logfile of HijackThis v1.99.1 Scan saved at 10:12:14 PM, on 8/21/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\TmFuY3kgU3VybWE\command.exe C:\Documents and Settings\Nancy\My Documents\security suite\ewidoctrl.exe C:\Program Files\Network Monitor\netmon.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\RunDll32.exe C:\WINDOWS\plsxcnfA.exe C:\WINDOWS\Duce6.exe C:\WINDOWS\xload.exe C:\Program Files\TrojanHunter 4.5\THGuard.exe C:\WINDOWS\sys101010110708.exe C:\WINDOWS\System32\90036491.exe C:\nwnmff_12.exe C:\dfndrff_12.exe C:\kybrdff_12.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\TEMP\73.tmp3072.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Nancy\My Documents\download\sunken\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\bbfre.exe F2 - REG:system.ini: UserInit=userinit.exe,lwmvopq.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [alav] C:\WINDOWS\alav.exe O4 - HKLM\..\Run: [gdfehmal] C:\WINDOWS\System32\gdfehmal.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [=TPM] C:\windows\mrjj.exe O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe O4 - HKLM\..\Run: [SDiskDaemon] C:\WINDOWS\sdiskmon.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [baqpav] C:\WINDOWS\System32\llzguvr.exe r O4 - HKLM\..\Run: [plsxcnfA] C:\WINDOWS\plsxcnfA.exe O4 - HKLM\..\Run: [ehz32db1] RUNDLL32.EXE w1d952f5.dll,n 00332dae000000031d952f5 O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe" O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe" O4 - HKLM\..\Run: [sys101010110708] C:\WINDOWS\sys101010110708.exe O4 - HKLM\..\Run: [90036491.exe] C:\WINDOWS\System32\90036491.exe O4 - HKLM\..\Run: [newname] C:\\nwnmff_12.exe O4 - HKLM\..\Run: [defender] C:\\dfndrff_12.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_12.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [dmbtex] C:\WINDOWS\System32\dmbtex.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [90036491.exe] C:\Documents and Settings\Nancy\Local Settings\Application Data\90036491.exe O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\TEMP\73.tmp3072.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O15 - Trusted Zone: .dollarrevenue.com O15 - Trusted Zone: .errorsafe.com O15 - Trusted Zone: .media-motor.net O15 - Trusted Zone: .mt-download.com O15 - Trusted Zone: .sxload.com O15 - Trusted Zone: .winantivirus.com O15 - Trusted Zone: *.winfixer.com O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab O20 - Winlogon Notify: FS Templates - C:\WINDOWS\system32\m6nq0g55e6.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmFuY3kgU3VybWE\command.exe O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Nancy\My Documents\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing) O23 - Service: MSCSPTISRV - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing) O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing) O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing) Thank you so much for your help.

Crustyoldbloke View Member Profile	Aug 22 2006, 04:01 AM Post #2
Malware Surgeon Posts: 15,099 From: Worcestershire, England OS: Windows XP Professional SP2	Hello Nancy and welcome to Geeks to Go As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible. Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix. Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! You have quite a mixture of malware and Trojans. Let’s see what we can do in removing the format option, it might take a few hits. You do not appear to have any antivirus programme running on your PC; we must correct that immediately. Download: AVG ANTIVIRUS FREE EDITION Install AVG, update its virus definitions and perform a full system scan before proceeding any further. Please disable Trojan Hunter. Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue icon with a magnifying glass that can be difficult to see but the handle is red. Right click it and select settings. Uncheck Load at startup and Enabled Please uninstall Ewido since the version you have is out of date. We can download an updated version which will give you a fresh 30-day trial. Look in your Control Panel’s Add/Remove Programs for: PuritySCAN By OIN, OuterInfo, OIN or similar Yazzle by Oin Snowballwars by Oin Cowabanga by OIN or anything similar with Oin in it. , click on it and click remove. Reboot and delete this folder if found: C:\Program Files\PurityScan\ If it is not listed, download and run this uninstaller: outerinfo.com/OiUninstaller.exe Tutorial for the uninstaller if needed Please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop: Killbox by Option^Explicit CCleaner Ewido Anti Spyware CWShredder cwsserviceemove.reg file combofix.exe Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards Go to Start>Run and type Services.msc then hit OK Scroll down and find this service: Command Service (cmdService) When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK. Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste): cmdService Click OK. It should pull up information about the service, when it asks if you want to reboot now click YES Please install, and update Ewido anti-spyware Load Ewido and then click the Update tab at the top. Under Manual Update click Start update. After the update finishes (the status bar at the bottom will display "Update successful") Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Deselect "Only if threats were found" Close Ewido. Do not run it yet. Next, please reboot your computer in Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: Safe Mode In Safe Mode, load Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient. Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side. Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop). Please ensure you post that log in your reply. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\bbfre.exe F2 - REG:system.ini: UserInit=userinit.exe,lwmvopq.exe O4 - HKLM\..\Run: [alav] C:\WINDOWS\alav.exe O4 - HKLM\..\Run: [gdfehmal] C:\WINDOWS\System32\gdfehmal.exe O4 - HKLM\..\Run: [=TPM] C:\windows\mrjj.exe O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe O4 - HKLM\..\Run: [SDiskDaemon] C:\WINDOWS\sdiskmon.exe O4 - HKLM\..\Run: [baqpav] C:\WINDOWS\System32\llzguvr.exe r O4 - HKLM\..\Run: [plsxcnfA] C:\WINDOWS\plsxcnfA.exe O4 - HKLM\..\Run: [ehz32db1] RUNDLL32.EXE w1d952f5.dll,n 00332dae000000031d952f5 O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe" O4 - HKLM\..\Run: [sys101010110708] C:\WINDOWS\sys101010110708.exe O4 - HKLM\..\Run: [90036491.exe] C:\WINDOWS\System32\90036491.exe O4 - HKLM\..\Run: [newname] C:\\nwnmff_12.exe O4 - HKLM\..\Run: [defender] C:\\dfndrff_12.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_12.exe O4 - HKCU\..\Run: [dmbtex] C:\WINDOWS\System32\dmbtex.exe O4 - HKCU\..\Run: [90036491.exe] C:\Documents and Settings\Nancy\Local Settings\Application Data\90036491.exe O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\TEMP\73.tmp3072.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O15 - Trusted Zone: .dollarrevenue.com O15 - Trusted Zone: .errorsafe.com O15 - Trusted Zone: .media-motor.net O15 - Trusted Zone: .mt-download.com O15 - Trusted Zone: .sxload.com O15 - Trusted Zone: .winantivirus.com O15 - Trusted Zone: .winfixer.com O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab O20 - Winlogon Notify: FS Templates - C:\WINDOWS\system32\m6nq0g55e6.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmFuY3kgU3VybWE\command.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe Now close all windows other than HiJackThis, then click Fix Checked.* Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items. Please reboot normally Please install Killbox by Option^Explicit. Please double-click Killbox.exe to run it. Select Delete on Reboot then Click on the All Files button. Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\TmFuY3kgU3VybWE\command.exe C:\Program Files\Network Monitor\netmon.exe C:\WINDOWS\plsxcnfA.exe C:\WINDOWS\Duce6.exe C:\WINDOWS\xload.exe C:\WINDOWS\sys101010110708.exe C:\WINDOWS\System32\90036491.exe C:\nwnmff_12.exe C:\dfndrff_12.exe C:\kybrdff_12.exe C:\WINDOWS\TEMP\73.tmp3072.exe C:\Program Files\Deskbar\deskbar.dll C:\WINDOWS\System32\bbfre.exe c:\windows\system32\lwmvopq.exe C:\WINDOWS\alav.exe C:\WINDOWS\System32\gdfehmal.exe C:\windows\mrjj.exe C:\WINDOWS\dinst.exe C:\WINDOWS\sdiskmon.exe C:\WINDOWS\System32\llzguvr.exe c:\windows\system32\w1d952f5.dll C:\WINDOWS\System32\dmbtex.exe C:\Documents and Settings\Nancy\Local Settings\Application Data\90036491.exe c:\windows\system32\stonedrv.exe C:\WINDOWS\system32\m6nq0g55e6.dll Return to Killbox, go to the File menu, and choose Paste from Clipboard. Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!). If your computer does not restart automatically, please restart it manually. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again. There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Applications uncheck Ewido Security Suite log then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues Double click combofix.exe & follow the prompts. When it has finished, it will produce a log. Please post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Post back a fresh HijackThis log (from normal mode) and I will take another look. (3 logs in total please)

Retta View Member Profile	Aug 22 2006, 02:28 PM Post #3
Member Posts: 33 OS: XP	yeah... i dont have cmdService on Services.msc... is there somewhere else i should look? or am i doing it wrong.

Crustyoldbloke View Member Profile	Aug 22 2006, 03:00 PM Post #4
Malware Surgeon Posts: 15,099 From: Worcestershire, England OS: Windows XP Professional SP2	No I'm sure you are not doing anything wrong, it's just malware and its foibles. Try doing it this way just in case it is hidden, but just continue with the rest of the fix please. Go to Start > Run and type or copy & paste this into the Run box: sc delete cmdService Hit ENTER

Retta View Member Profile	Aug 22 2006, 07:37 PM Post #5
Member Posts: 33 OS: XP	Here's the Log from 'Ewido' --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 5:19:54 PM 8/22/2006 + Scan result: HKU\S-1-5-21-1275210071-789336058-682003330-500\Software\aurora -> Adware.BetterInternet : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203975.dll -> Adware.CommAd : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203976.exe -> Adware.CommAd : Cleaned with backup (quarantined). C:\WINDOWS\TmFuY3kgU3VybWE\asappsrv.dll.tcf -> Adware.CommAd : Cleaned with backup (quarantined). C:\WINDOWS\TmFuY3kgU3VybWE\command.exe.tcf -> Adware.CommAd : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203098.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203099.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203101.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203102.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203118.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203121.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203128.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203272.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203520.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203524.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203529.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203533.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203550.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203554.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203572.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203893.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203905.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203915.exe.tcf -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203930.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203937.DLL -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203978.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203992.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203993.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204005.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204006.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204008.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204009.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\aytiveds.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\guard.tmp -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\narszht.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203106.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined). C:\WINDOWS\Downloaded Program Files\amm06.ocx.tcf -> Adware.MediaMotor : Cleaned with backup (quarantined). C:\WINDOWS\amm06.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-789336058-682003330-500\Software\WebInstall -> Adware.NetworkEssentials : Cleaned with backup (quarantined). HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203103.exe -> Adware.SaveNow : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203570.exe -> Adware.WebHancer : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203573.dll -> Adware.WebHancer : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203110.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203113.dll.tcf -> Downloader.Qoologic.bj : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203997.DLL -> Downloader.Qoologic.bj : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204000.EXE -> Downloader.Qoologic.bj : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204001.EXE -> Downloader.Qoologic.bj : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204002.EXE -> Downloader.Qoologic.bj : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204007.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203912.exe.tcf -> Downloader.Small.buy : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP516\A0199725.exe.tcf -> Downloader.Small.dnk : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0201053.exe.tcf -> Downloader.Small.dnk : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0202111.exe.tcf -> Downloader.Small.dnk : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203105.exe -> Downloader.VB.akq : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203117.exe -> Downloader.VB.akq : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203545.exe -> Downloader.VB.akq : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203999.exe -> Downloader.VB.akq : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203104.exe -> Downloader.VB.nw : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204003.exe -> Downloader.VB.wz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203111.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\popup[1].php -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Local Settings\Temporary Internet Files\Content.IE5\XZJ7TPKE\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\WINDOWS\Downloaded Program Files\USDR6_0001_D18M2707NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203109.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Local Settings\Temporary Internet Files\Content.IE5\F4WG49QF\klite.ath[1] -> Not-A-Virus.Exploit.Win32.MS05013 : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203955.EXE.tcf -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP516\A0199746.exe -> Proxy.Lager.a : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0201064.exe -> Proxy.Lager.a : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\taskdir.exe_tobedeleted -> Proxy.Lager.a : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0201065.exe -> Proxy.Lager.cy : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203100.exe.tcf -> Trojan.Dialer.pw : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203107.exe -> Trojan.VB.tg : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203108.exe -> Trojan.VB.tg : Cleaned with backup (quarantined). ::Report end Here's the one from 'combofix': Nancy Surma - 06-08-22 18:20:39.14 ComboFix 06.08.18 - Running from: C:\Program Files\MSN\MSNCoreFiles (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\Duce6.exe C:\WINDOWS\keyboard1.dat C:\WINDOWS\newname.dat C:\WINDOWS\teller2.chk C:\WINDOWS\winsysupd101.dat C:\dfndrff_12.exe C:\drsmartload.exe C:\drsmartload45a3344a.exe C:\drsmartload46a3344a.exe C:\drsmartload849a3344a.exe C:\kybrdff_12.exe C:\MTE3NDI6ODoxNg.exe C:\nwnmff_12.exe C:\Documents and Settings\Nancy Surma\Local Settings\Temporary Internet Files\Content.IE5\K3TRUY71\drsmartload849a[1].exe C:\deskbar.exe C:\Installer3.exe C:\mte3ndi6odoxng.exe C:\WINDOWS\uninstall_nmon.vbs C:\WINDOWS\SYSTEM32\atmtd.dll C:\WINDOWS\SYSTEM32\atmtd.dll._ C:\Documents and Settings\NetworkService\Application Data\NetMon C:\Documents and Settings\LocalService\Application Data\NetMon C:\Program Files\winupdates C:\WINDOWS\Duce6.exe C:\Documents and Settings\LocalService\Application Data\NetMon C:\WINDOWS\Duce6.exe C:\WINDOWS\Duce6.exe C:\Documents and Settings\LocalService\Application Data\NetMon C:\Program Files\Deskbar C:\Program Files\network monitor C:\WINDOWS\Duce6.exe C:\WINDOWS\Duce6.exe C:\WINDOWS\Duce6.exe C:\WINDOWS\Duce6.exe C:\WINDOWS\Duce6.exe C:\WINDOWS\Duce6.exe C:\WINDOWS\Duce6.exe C:\WINDOWS\Duce6.exe C:\Program Files\Deskbar C:\Program Files\network monitor C:\WINDOWS\TmFuY3kgU3VybWE C:\Program Files\Deskbar C:\Program Files\network monitor C:\WINDOWS\TmFuY3kgU3VybWE C:\Program Files\Deskbar C:\Program Files\network monitor C:\WINDOWS\TmFuY3kgU3VybWE ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\QooBox\Purity\WINDOWS\SSEMBL~1 ((((((((((((((((((((((((((((((( Files Created from 2006-07-22 to 2006-08-22 )))))))))))))))))))))))))))))))))) 2006-08-22 18:09 106,496 C:\WINDOWS\Duce6.exe 2006-08-22 13:20 159,744 C:\WINDOWS\win32080810101107.exe 2006-08-20 17:37 53,248 C:\WINDOWS\system32\Process.exe 2006-08-20 17:37 42,496 C:\WINDOWS\system32\swreg.exe 2006-08-20 17:37 40,960 C:\WINDOWS\system32\swsc.exe 2006-08-20 17:37 288,417 C:\WINDOWS\system32\SrchSTS.exe 2006-08-20 16:37 0 C:\WINDOWS\test3.exe 2006-08-19 23:24 0 C:\WINDOWS\system32\wancp.dll 2006-08-18 19:37 57,344 C:\WINDOWS\system32\senssrv.dll 2006-08-18 18:12 2,560 C:\WINDOWS\_MSRSTRT.EXE 2006-08-18 16:15 1,060,864 C:\WINDOWS\system32\mfc71.dll 2006-08-18 16:11 186,223 C:\WINDOWS\srvifhtukd.exe 2006-08-18 16:11 1,167 C:\WINDOWS\system32\ehz32db1.sys 2006-08-18 16:10 459 C:\WINDOWS\jnuuu.dll 2006-08-18 16:09 115,160 C:\WINDOWS\Eim03.exe 2006-08-14 17:52 78,848 C:\WINDOWS\system32\nst2B.dll And here's the one from Hijack This: Logfile of HijackThis v1.99.1 Scan saved at 6:34:15 PM, on 8/22/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\RunDll32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\win32080810101107.exe C:\WINDOWS\Duce6.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MSN\MSNCoreFiles\msn.exe C:\Documents and Settings\Nancy Surma\My Documents\download\sunkensoul\HijackThis.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [win32080810101107] C:\WINDOWS\win32080810101107.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing) O23 - Service: MSCSPTISRV - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing) O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)

Crustyoldbloke View Member Profile	Aug 23 2006, 02:09 AM Post #6
Malware Surgeon Posts: 15,099 From: Worcestershire, England OS: Windows XP Professional SP2	Hello again Thank you for the logs provided, we will clear the restore points later in a future fix. Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following: O4 - HKLM\..\Run: [win32080810101107] C:\WINDOWS\win32080810101107.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Click on Fix Checked when finished and exit HijackThis. Please install Killbox by Option^Explicit. Please double-click Killbox.exe to run it. Select Delete on Reboot then Click on the All Files button. Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\win32080810101107.exe C:\WINDOWS\Duce6.exe C:\WINDOWS\system32\wancp.dll C:\WINDOWS\system32\senssrv.dll C:\WINDOWS\srvifhtukd.exe C:\WINDOWS\system32\ehz32db1.sys C:\WINDOWS\jnuuu.dll C:\WINDOWS\Eim03.exe C:\WINDOWS\system32\nst2B.dll Return to Killbox, go to the File menu, and choose Paste from Clipboard. Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!). If your computer does not restart automatically, please restart it manually. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again. Post back a fresh HijackThis log, from normal mode, and I will take another look.

Retta View Member Profile	Aug 24 2006, 02:20 AM Post #7
Member Posts: 33 OS: XP	Logfile of HijackThis v1.99.1 Scan saved at 1:18:02 AM, on 8/24/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\RunDll32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MSN\MSNCoreFiles\msn.exe C:\Documents and Settings\Nancy\My Documents\download\sunken\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{996C239D-142F-408A-97A1-850F19271E6C}: NameServer = 205.171.3.65,205.171.2.65 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing) O23 - Service: MSCSPTISRV - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing) O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)

Crustyoldbloke View Member Profile	Aug 24 2006, 02:30 AM Post #8
Malware Surgeon Posts: 15,099 From: Worcestershire, England OS: Windows XP Professional SP2	Hello again The log looks very good, but because the topic title includes Brave Sentry, I am going to request one more scan to be sure. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder (right click and choose Extract All) and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy & paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! Note : process.exe is detected by some antivirus programmes (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a programme used to stop system processes. Antivirus programmes cannot distinguish between "good" and "malicious" use of such programmes, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm

Retta View Member Profile	Aug 24 2006, 02:34 AM Post #9
Member Posts: 33 OS: XP	SmitFraudFix v2.81 Scan done at 1:33:08.00, Thu 08/24/2006 Run from C:\Documents and Settings\Nancy Surma\My Documents\download\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] -