antivirusxp08 [RESOLVED]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

6 Pages

1 2 3 > »

antivirusxp08 [RESOLVED]

Options

mbrikha View Member Profile	Jul 27 2008, 11:43 PM Post #1
Member Posts: 47 OS: windows	how do i get rid of antivirusxp08??? this is my log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:47:48 AM, on 7/28/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\WINDOWS\System32\lphctwhj0e561.exe C:\Program Files\rhcpwhj0e561\rhcpwhj0e561.exe C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\MySpace\IM\MySpaceIM.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Common Files\AOL\1139186156\ee\aolsoftware.exe c:\program files\common files\aol\1139186156\ee\AOLOpenRide.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Mozilla Firefox\firefox.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\Program Files\Real\RealOne Player\RealPlay.exe C:\Program Files\McAfee\MSC\mcshell.exe C:\Program Files\McAfee\MQC\McpAdmin.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://beta.comcast.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file) O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [lphctwhj0e561] C:\WINDOWS\System32\lphctwhj0e561.exe O4 - HKLM\..\Run: [SMrhcpwhj0e561] C:\Program Files\rhcpwhj0e561\rhcpwhj0e561.exe O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe O4 - HKUS\S-1-5-21-489530047-1577466506-2605587702-501\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Guest') O4 - HKUS\S-1-5-21-489530047-1577466506-2605587702-501\..\Run: [stratas] ggfig.exe (User 'Guest') O4 - HKUS\S-1-5-21-489530047-1577466506-2605587702-501\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" (User 'Guest') O4 - HKUS\S-1-5-21-489530047-1577466506-2605587702-501\..\Run: [Xytngb] C:\Program Files\Mubl\Ishdb.exe (User 'Guest') O4 - HKUS\S-1-5-21-489530047-1577466506-2605587702-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Guest') O4 - HKUS\S-1-5-21-489530047-1577466506-2605587702-501\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Guest') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: officejet 6100.lnk = ? O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17efb7ea211bee...ip/RdxIE601.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O24 - Desktop Component 0: (no name) - http://www.forever21.com/product.asp? O24 - Desktop Component 1: (no name) - http://a160.ac-images.myspacecdn.com/image...8e365cedd57.jpg O24 - Desktop Component 2: (no name) - http://i21.photobucket.com/albums/b273/XxJGrl90/black.jpg -- End of file - 10852 bytes This post has been edited by mbrikha: Jul 27 2008, 11:51 PM

fenzodahl512 View Member Profile	Jul 28 2008, 01:14 AM Post #2
Trusted Helper Posts: 9,194 OS: Windows XP	Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following... Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. Please let your firewall allow the scanning/downloading process. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Regards fenzodahl512

fenzodahl512 View Member Profile	Jul 28 2008, 05:19 PM Post #4
Trusted Helper Posts: 9,194 OS: Windows XP	You have lots of crap in this computer.. Please follow my instruction closely.. Please download WinsockXPFix and save it to your Desktop. Don't use it yet.. Use it if you lost the internet connection after performing any steps given.. Please go to Start > Control Panel > Add or Remove Programs and remove the following (if present): Active Alert AntivirXP08 AVI Codec Pack Bar888 Media-motor Outerinfo Software Update Manager Spy Sheriff Viewpoint Manager (Remove Only) Viewpoint Media Player Viewpoint Toolbar webHancer Customer Companion webHancer Survey Companion WebRebates (by TopRebates.com) WSEM Update -------------------------- Please download SmitfraudFix (by S!Ri) Double-click SmitfraudFix.exe Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there. Note : process.exe** is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Regards fenzodahl512

mbrikha View Member Profile	Jul 28 2008, 09:37 PM Post #5
Member Posts: 47 OS: windows	ok, so i removed all of the programs except for antivirxp08. it wont come out and so i did the second part and i got this ... SmitFraudFix v2.332 Scan done at 22:23:34.87, Mon 07/28/2008 Run from C:\Program Files\Mozilla Firefox\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode �� Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe c:\program files\common files\aol\1139186156\ee\AOLOpenRide.exe C:\Program Files\Common Files\AOL\1139186156\ee\aolsoftware.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\notepad.exe C:\WINDOWS\notepad.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\iPod\bin\iPodService.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\WINDOWS\System32\cmd.exe �� hosts �� C:\ �� C:\WINDOWS �� C:\WINDOWS\system �� C:\WINDOWS\Web �� C:\WINDOWS\system32 C:\WINDOWS\system32\Party Poker.ico FOUND ! �� C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000 �� C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Install.dat FOUND ! �� Start Menu �� C:\WINDOWS\FAVORI~1 �� Desktop �� C:\Program Files �� Corrupted keys �� Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="http://www.forever21.com/product.asp?" "SubscribedURL"="http://www.forever21.com/product.asp?" "FriendlyName"="" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="http://a160.ac-images.myspacecdn.com/images01/13/l_0e8459803a1249bef25e78e365cedd57.jpg" "SubscribedURL"="http://a160.ac-images.myspacecdn.com/images01/13/l_0e8459803a1249bef25e78e365cedd57.jpg" "FriendlyName"="" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2] "Source"="http://i21.photobucket.com/albums/b273/XxJGrl90/black.jpg" "SubscribedURL"="http://i21.photobucket.com/albums/b273/XxJGrl90/black.jpg" "FriendlyName"="" �� IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri �� VACFix !!!Attention, following keys are not inevitably infected!!! VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri �� 404Fix !!!Attention, following keys are not inevitably infected!!! 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri �� Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll �� AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! �� Winlogon !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," "System"="" �� Rustock �� DNS Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport DNS Server Search Order: 68.87.72.130 DNS Server Search Order: 68.87.77.130 DNS Server Search Order: 68.87.66.196 HKLM\SYSTEM\CCS\Services\Tcpip\..\{9075BA86-594F-49E9-81B1-46C28475CA0E}: DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196 HKLM\SYSTEM\CS1\Services\Tcpip\..\{9075BA86-594F-49E9-81B1-46C28475CA0E}: DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196 �� Scanning for wininet.dll infection �� End

fenzodahl512 View Member Profile	Jul 28 2008, 09:52 PM Post #6
Trusted Helper Posts: 9,194 OS: Windows XP	Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Once in Safe Mode, please double-click smitfraudfix.exe Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning!! : running option #2 on a non infected computer will remove your Desktop background. *NEXT* Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. Please let your firewall allow the scanning/downloading process. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator Please post the following logs in your next reply.. Please post each log in separate post.. 1. SmitfraudFix 2. DSS main.txt 3. DSS extra.txt Regards fenzodahl512

mbrikha View Member Profile	Jul 28 2008, 11:43 PM Post #7
Member Posts: 47 OS: windows	ok, but once i reboot my computer will all of my documents and pictures erase?

fenzodahl512 View Member Profile	Jul 29 2008, 03:39 AM Post #8
Trusted Helper Posts: 9,194 OS: Windows XP	QUOTE (mbrikha @ Jul 29 2008, 01:43 PM) ok, but once i reboot my computer will all of my documents and pictures erase? Nope.. at most you might lose your Wallpaper.. That's all.. Please do the steps and post the logs here..

mbrikha View Member Profile	Jul 29 2008, 11:20 AM Post #9
Member Posts: 47 OS: windows	SmitFraudFix v2.332 Scan done at 10:34:37.35, Tue 07/29/2008 Run from C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode �� SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll �� Killing process �� hosts 127.0.0.1 localhost �� VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri �� Winsock2 Fix S!Ri's WS2Fix: LSP not Found. �� Generic Renos Fix GenericRenosFix by S!Ri �� Deleting infected files C:\WINDOWS\system32\Party Poker.ico Deleted C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Install.dat Deleted �� IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri �� 404Fix 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri �� DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{9075BA86-594F-49E9-81B1-46C28475CA0E}: DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196 HKLM\SYSTEM\CS1\Services\Tcpip\..\{9075BA86-594F-49E9-81B1-46C28475CA0E}: DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196 HKLM\SYSTEM\CS3\Services\Tcpip\..\{9075BA86-594F-49E9-81B1-46C28475CA0E}: DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196 �� Deleting Temp Files �� Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" �� Registry Cleaning Registry Cleaning done. �� SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll �� End

mbrikha View Member Profile	Jul 29 2008, 11:21 AM Post #10
Member Posts: 47 OS: windows	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:18:10, on 7/29/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\rhcpwhj0e561\rhcpwhj0e561.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe c:\program files\common files\aol\1139186156\ee\AOLOpenRide.exe C:\Program Files\Common Files\AOL\1139186156\ee\aolsoftware.exe C:\WINDOWS\System32\pphctwhj0e561.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\msiexec.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file) O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [lphctwhj0e561] C:\WINDOWS\System32\lphctwhj0e561.exe O4 - HKLM\..\Run: [SMrhcpwhj0e561] C:\Program Files\rhcpwhj0e561\rhcpwhj0e561.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: officejet 6100.lnk = ? O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17efb7ea211bee...ip/RdxIE601.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O24 - Desktop Component 0: (no name) - http://i21.photobucket.com/albums/b273/XxJGrl90/black.jpg -- End of file - 8125 bytes

fenzodahl512 View Member Profile	Jul 29 2008, 11:26 AM Post #11
Trusted Helper Posts: 9,194 OS: Windows XP	Hi.. Still waiting for your Deckard System Scanner (DSS) log

mbrikha View Member Profile	Jul 29 2008, 11:29 AM Post #12
Member Posts: 47 OS: windows	Deckard's System Scanner v20071014.68 Run by Owner on 2008-07-29 12:19:16 Computer is in Normal Mode. -------------------------------------------------------------------------------- Percentage of Memory in Use: 89% (more than 75%). Total Physical Memory: 504 MiB (512 MiB recommended). -- HijackThis (run as Owner.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:19:35, on 7/29/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\rhcpwhj0e561\rhcpwhj0e561.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe c:\program files\common files\aol\1139186156\ee\AOLOpenRide.exe C:\Program Files\Common Files\AOL\1139186156\ee\aolsoftware.exe C:\WINDOWS\System32\pphctwhj0e561.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\msiexec.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file) O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [lphctwhj0e561] C:\WINDOWS\System32\lphctwhj0e561.exe O4 - HKLM\..\Run: [SMrhcpwhj0e561] C:\Program Files\rhcpwhj0e561\rhcpwhj0e561.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: officejet 6100.lnk = ? O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17efb7ea211bee...ip/RdxIE601.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O24 - Desktop Component 0: (no name) - http://i21.photobucket.com/albums/b273/XxJGrl90/black.jpg -- End of file - 8179 bytes -- Files created between 2008-06-29 and 2008-07-29 ----------------------------- 2008-07-29 10:08:30 0 --a------ C:\WINDOWS\System32\pphctwhj0e561.exe 2008-07-29 10:08:19 60928 --a------ C:\WINDOWS\System32\blphctwhj0e561.scr 2008-07-28 21:44:27 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Comcast 2008-07-28 21:23:41 3022 --a------ C:\WINDOWS\System32\tmp.reg 2008-07-28 21:22:44 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility> 2008-07-28 21:22:13 81920 --a------ C:\WINDOWS\System32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix> 2008-07-28 21:22:12 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe 2008-07-28 21:22:12 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; > 2008-07-28 21:22:12 86528 --a------ C:\WINDOWS\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix> 2008-07-28 21:22:12 82944 --a------ C:\WINDOWS\System32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix> 2008-07-28 21:22:11 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS> 2008-07-28 21:22:11 51200 --a------ C:\WINDOWS\System32\dumphive.exe 2008-07-27 23:47:14 0 d-------- C:\Program Files\Trend Micro 2008-07-27 23:15:36 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-24 11:42:06 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\rhcpwhj0e561 2008-07-22 19:59:30 0 d-------- C:\Program Files\rhcpwhj0e561 -- Find3M Report --------------------------------------------------------------- 2008-07-28 21:56:28 0 d-------- C:\Program Files\WildTangent 2008-07-28 21:52:56 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-07-28 21:52:33 0 d-------- C:\Program Files\NewSoft 2008-07-28 21:50:43 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Musicmatch 2008-07-28 21:50:41 0 d-------- C:\Program Files\MUSICMATCH 2008-07-28 21:48:04 0 d-------- C:\Program Files\Microsoft Money 2008-07-28 21:41:57 0 d-------- C:\Program Files\Common Files\aolshare 2008-07-28 21:31:21 0 d-------- C:\Program Files\Viewpoint 2008-06-24 12:26:30 0 d-------- C:\Program Files\McAfee 2008-06-23 14:31:07 0 d-------- C:\Program Files\Common Files\McAfee 2008-06-02 22:36:44 0 d-------- C:\Program Files\LimeWire 2008-05-31 21:40:26 9604 --a------ C:\WINDOWS\mozver.dat 2008-05-31 21:33:33 0 d-------- C:\Program Files\Common Files 2008-05-31 21:33:33 0 d-------- C:\Program Files\Common Files\xing shared 2008-05-31 21:33:26 0 d-------- C:\Program Files\Common Files\Real 2008-05-31 21:33:18 1770 --a------ C:\WINDOWS\nsreg.dat 2008-05-31 20:33:26 0 d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Real 2008-05-31 20:31:44 0 d-------- C:\Program Files\Common Files\csshare -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BlockTracker"="c:\hp\bin\BlockTracker.exe" [] "NvCplDaemon"="NvQTwk" [] "nwiz"="nwiz.exe" [09/30/2002 23:39 C:\WINDOWS\system32\nwiz.exe] "System service63"="C:\WINDOWS\etb\pokapoka63.exe" [] "HostManager"="C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe" [09/25/2006 16:52] "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 21:16] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/31/2008 21:32] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 18:12] "lphctwhj0e561"="C:\WINDOWS\System32\lphctwhj0e561.exe" [] "SMrhcpwhj0e561"="C:\Program Files\rhcpwhj0e561\rhcpwhj0e561.exe" [07/24/2008 03:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIEW"="nview.dll,nViewLoadHook" [] "PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe" [] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [03/06/2007 21:06] "Aim6"="" [] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Start Menu\Programs\Startup\ AOL OpenRide.lnk - C:\Program Files\Common Files\AOL\Launch\aollaunch.exe [9/25/2006 4:52:49 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [12/3/2002 4:58:20 PM] NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [10/11/2003 8:19:17 AM] officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [12/3/2002 4:23:30 PM] Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [9/20/2002 7:20:02 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] @= [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b] C:\WINDOWS\System32\dccnncr.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b] C:\WINDOWS\System32\dccnncr.exe -- End of Deckard's System Scanner: finished at 2008-07-29 12:25:38 ------------

fenzodahl512 View Member Profile	Jul 29 2008, 11:43 AM Post #13
Trusted Helper Posts: 9,194 OS: Windows XP	Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator") Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked.. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE [kill explorer] C:\WINDOWS\System32\pphctwhj0e561.exe C:\WINDOWS\System32\blphctwhj0e561.scr C:\WINDOWS\System32\blphctwhj0e561.scr C:\Program Files\rhcpwhj0e561 C:\WINDOWS\etb\pokapoka63.exe C:\WINDOWS\System32\lphctwhj0e561.exe C:\WINDOWS\System32\dccnncr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\System service63 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\lphctwhj0e561 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SMrhcpwhj0e561 HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b EmptyTemp purity [start explorer] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste. Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTMoveIt2 If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. *NEXT* Please download Malwarebytes' Anti-Malware from HERE or HERE Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Full Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Please post the following logs in your next reply.. Please post each log in separate post.. 1. OTMoveIt2 2. Malwarebytes' 3. A fresh DSS log (after Malwarebytes' step) Regards fenzodahl512

mbrikha View Member Profile	Jul 29 2008, 12:12 PM Post #14
Member Posts: 47 OS: windows	Explorer killed successfully File/Folder C:\WINDOWS\System32\pphctwhj0e561.exe not found. File/Folder C:\WINDOWS\System32\blphctwhj0e561.scr not found. File/Folder C:\WINDOWS\System32\blphctwhj0e561.scr not found. File/Folder C:\Program Files\rhcpwhj0e561 not found. File/Folder C:\WINDOWS\etb\pokapoka63.exe not found. File/Folder C:\WINDOWS\System32\lphctwhj0e561.exe not found. File/Folder C:\WINDOWS\System32\dccnncr.exe not found. < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\System service63 > Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\System service63 not found. < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\lphctwhj0e561 > Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\lphctwhj0e561 not found. < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SMrhcpwhj0e561 > Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SMrhcpwhj0e561 not found. < HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b > Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b\\ not found. < EmptyTemp > File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\A.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\~DFECA9.tmp scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mcafee_KwVzpG5r1E3QsxK scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mcmsc_jjTRqj5AS2K3TgH scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mcmsc_TVFwyEBef7a7TdM scheduled to be deleted on reboot. Temp folders emptied. IE temp folders emptied. < purity > Explorer started successfully OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07292008_130445 Files moved on Reboot... File C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\A.tmp not found! C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\~DFECA9.tmp moved successfully. File C:\WINDOWS\temp\mcafee_KwVzpG5r1E3QsxK not found! File C:\WINDOWS\temp\mcmsc_jjTRqj5AS2K3TgH not found! File C:\WINDOWS\temp\mcmsc_TVFwyEBef7a7TdM not found!

fenzodahl512 View Member Profile	Jul 29 2008, 01:42 PM Post #15
Trusted Helper Posts: 9,194 OS: Windows XP	Waiting for your Malwarebytes' and DSS logs

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

6 Pages

1 2 3 > »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal ANTIVIRUSXP08 [RESOLVED] 12	18 / 2,426	12th July 2008 - 07:12 PM susan spencer started - last by greyknight17
Virus, Spyware and Trojan Removal Antivirusxp08 removal [RESOLVED]	8 / 3,177	11th July 2008 - 01:56 AM andros started - last by miekiemoes
Virus, Spyware and Trojan Removal AntivirusXp08 WILL not go away [RESOLVED]	9 / 522	26th August 2008 - 05:08 PM Greenlight started - last by greyknight17
Virus, Spyware and Trojan Removal Another antivirusXP08 [RESOLVED] 12	24 / 656	17th August 2008 - 06:33 PM marlinsfan started - last by andrewuk