Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I am infected


  • Please log in to reply

#1
OTHG_Wayne

OTHG_Wayne

    Member

  • Member
  • PipPip
  • 12 posts
I am infected with at least a hijacker that I can't get rid of. When I click on HOME Page, it takes me to syssecuritysite.com and tries to sell me anti-malware software.

I have performed all of the "Before Posting a Hijack Log" activities and still have the issue. I am sure there may be others too. You folks helped me clean my wife's PC once before and now it's my PC that is the issue.

Here is my HiJack This Log and thank you!

Logfile of HijackThis v1.99.1
Scan saved at 5:25:06 PM, on 7/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Wayne\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {36F2320D-4AC2-4179-87B4-0CC90259B474} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll (file missing)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [DHaxi.exe] C:\WINDOWS\system32\DHaxi.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinter...up/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4p.../LaunchGame.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi OTHG_Wayne and Welcome Back to GeekstoGo!


First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.


Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.


Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).


Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close out Ewido Anti-Spyware.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.



Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.



Reboot back into Windows and click the Panda ActiveScan shortcut.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the Check Now button.
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.




EDIT:Just update your version of ewido before going to safe mode.

Edited by Cretemonster, 06 July 2006 - 05:31 PM.

  • 0

#3
OTHG_Wayne

OTHG_Wayne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here we go, I have everything you requested.

:yes: HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 6:56:23 AM, on 7/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Wayne\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {36F2320D-4AC2-4179-87B4-0CC90259B474} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll (file missing)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [DHaxi.exe] C:\WINDOWS\system32\DHaxi.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinter...up/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4p.../LaunchGame.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

:) SMITFILES.TXT

smitRem © log file
version 3.0

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Thu 07/06/2006
The current time is: 22:32:49.51

Running from
C:\Documents and Settings\Wayne\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32]
@="C:\WINDOWS\system32\guxxa.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url
shopping


~~~ system32 folder ~~~

regperf.exe
simpole.tlb
stdole3.tlb
dcomcfg.exe
amcompat.tlb
nscompat.tlb
ld****.tmp
hp***.tmp
logfiles


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 756 'explorer.exe'
Killing PID 756 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :woot:


:woot: EWIDO LOG
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:32:34 AM 7/7/2006

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{C5AF2622-8C75-4dfb-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5AF2622-8C75-4dfb-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-203898789-614749927-3706334584-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4DFB-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Wayne\Cookies\[email protected][1].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
C:\Documents and Settings\Wayne\Cookies\[email protected][2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
C:\Documents and Settings\Wayne\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Wayne\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end


:woot: PANDA REPORT

Incident Status Location

Adware:Adware/Deskwizz Not disinfected c:\windows\system32\dhaxi.exe[DH.dll_]
Adware:adware/azesearch Not disinfected c:\windows\system32\azebar.xml
Adware:adware/virtualbouncer Not disinfected c:\windows\system32\INNERADINSTALL.LOG
Adware:adware/statblaster Not disinfected c:\windows\downloaded program files\WildApp.inf
Adware:adware/portalscan Not disinfected c:\windows\bundles\2504041110.exe
Spyware:spyware/betterinet Not disinfected c:\windows\inf\biini.inf
Adware:adware/ipinsight Not disinfected c:\windows\inf\polall1r.inf
Adware:adware/powerstrip Not disinfected c:\windows\preprocess.data
Adware:adware/twain-tech Not disinfected c:\windows\support.cn
Spyware:spyware/media-motor Not disinfected c:\windows\ubber60.ini
Adware:adware/ncase Not disinfected c:\windows\system32\FLEOK
Adware:adware/tvmedia Not disinfected c:\windows\bundles
Adware:adware/deskwizz Not disinfected Windows Registry
Adware:adware/wintools Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Wayne\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Wayne\Cookies\[email protected][2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Wayne\Desktop\smitRem\Process.exe
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20040805094132781.zip[Program Files/common files/remove_tools.html]
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20040824224628015.zip[WINDOWS/inf/bi.inf]
Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20040824224629343.zip[Program Files/common files/updmgr/data1.dat]
Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20040824224629343.zip[Program Files/common files/updmgr/data2.dat]
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041130114808203.zip[Documents and Settings/Wayne/local settings/temp/auf0.exe]
Spyware:Cookie/LinkExchange Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq103.tmp
Spyware:Cookie/Cgi-bin Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq106.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq111.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11F.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq128.tmp
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq129.tmp
Spyware:Cookie/Powerscan Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12B.tmp
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12C.tmp
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12E.tmp
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq138.tmp
Adware:Adware/AzeSearch Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13B.tmp
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp
Spyware:Cookie/Powerscan Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp
Spyware:Cookie/Atwola Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp
Spyware:Cookie/Versiontracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq80.tmp
Adware:Adware/IPInsight Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8A.tmp
Adware:Adware/PortalScan Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp\bundles.exe.tcf
Spyware:Cookie/Cgi-bin Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFF.tmp
Potentially unwanted tool:Application/MyWay Not disinfected C:\WINDOWS\Downloaded Program Files\s4initialsetup1.0.0.3.inf
Virus:Trj/Downloader.QV Disinfected C:\WINDOWS\Downloaded Program Files\vxiewer.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\inf\bi7.inf
Adware:Adware/ImGiant Not disinfected C:\WINDOWS\myurlff.exe
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\adwerkz.dll
Adware:Adware/nCase Not disinfected C:\WINDOWS\system32\ezStub3.dll.tcf
Potentially unwanted tool:Application/MyWay Not disinfected C:\WINDOWS\system32\Xcite.dll.tcf

:whistling: :blink: :help:
WOW, thats a bunch. Let me know what is next!

Thanks again.
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
First,I need to see if you can help me?

See if you can locate these 2

C:\Program Files\Yahoo!\YPSR\Quarantine\20041130114808203.zip

C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp

C:\Documents and Settings/Wayne/local settings/temp/auf0.exe


Let me know in the next reply,Ill go ahead and post the next steps in a minute.

Edited by Cretemonster, 07 July 2006 - 06:38 PM.

  • 0

#5
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O2 - BHO: (no name) - {36F2320D-4AC2-4179-87B4-0CC90259B474} - (no file)

O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll (file missing)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [DHaxi.exe] C:\WINDOWS\system32\DHaxi.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinter...up/RiffLick.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab

O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4p.../LaunchGame.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\adwerkz.dll
    C:\WINDOWS\system32\ezStub3.dll.tcf
    C:\WINDOWS\system32\Xcite.dll.tcf
    c:\windows\system32\dhaxi.exe
    c:\windows\system32\azebar.xml
    c:\windows\system32\INNERADINSTALL.LOG
    c:\windows\downloaded program files\WildApp.inf
    C:\WINDOWS\Downloaded Program Files\s4initialsetup1.0.0.3.inf
    C:\WINDOWS\inf\bi7.inf
    C:\WINDOWS\myurlff.exe
    c:\windows\bundles\2504041110.exe
    c:\windows\inf\biini.inf
    c:\windows\inf\polall1r.inf
    c:\windows\preprocess.data
    c:\windows\support.cn
    c:\windows\ubber60.ini


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Restart in Safe Mode--> Locate and Delete these 2 folders

c:\windows\system32\FLEOK

c:\windows\bundles


Restart Normal and Download ComboFix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.

Post the contents of combofix.txt into the next reply along with a fresh HijackThis log.
  • 0

#6
OTHG_Wayne

OTHG_Wayne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
To answer your first question...

I was able to find
C:\Program Files\Yahoo!\YPSR\Quarantine\20041130114808203.zip
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp

But this one was not there...
C:\Documents and Settings/Wayne/local settings/temp/auf0.exe

I am now going to execute your instructions from your 7:46pm email.

Thanks again.

Edited by OTHG_Wayne, 07 July 2006 - 10:10 PM.

  • 0

#7
OTHG_Wayne

OTHG_Wayne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I followed all the instructions to the letter but there were a couple irregularities. First, when I ran Killbox, the box for Unregister .dll before Deleting was grayed out so I could not select it. I did get the message at the end though.

When I ran ComboFix, it did not display combofix.txt after a reboot, it displayed after a file cleanup process ran. This is a little different than your instructions. I hope these issues are okay.

Here are the two log files you wanted.

ComboFix.txt
Start Time= Fri 07/07/2006 23:38:20.21
Running from: C:\Documents and Settings\Wayne\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-06 00:14:56 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\TrojanHunter"
2006-07-05 23:52:40 59392 ( ....R ) "C:\WINDOWS\system32\streamhlp.dll"
2006-07-05 23:52:32 ( .D... ) "C:\Program Files\TrojanHunter 4.5"
2006-07-05 06:24:02 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-04 22:40:00 ( .D... ) "C:\Program Files\CleanUp!"
2006-06-22 05:47:18 181248 ( A.... ) "C:\WINDOWS\system32\rasmans.dll"
2006-06-21 20:36:10 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\Xfire"
2006-06-09 20:53:56 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\Vso"
2006-06-09 20:46:20 ( .D... ) "C:\Program Files\DVDFab Express"
2006-06-08 20:19:50 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-06 21:45:36 ( .D... ) "C:\Program Files\DVDFab Decrypter"
2006-06-06 06:06:08 ( .D... ) "C:\Program Files\Chord Alchemy 4"
2006-06-01 13:47:08 163840 ( A.... ) "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27648 ( A.... ) "C:\WINDOWS\system32\jgpl400.dll"
2006-05-29 10:30:34 1494016 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-05-22 21:01:26 ( .D... ) "C:\Program Files\Aspect2"
2006-05-21 19:37:16 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\ArcSoft"
2006-05-21 19:14:46 ( .D... ) "C:\Program Files\EPSON Print CD"
2006-05-21 19:09:40 ( .D... ) "C:\Program Files\EPSON"
2006-05-19 20:03:50 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\Ahead"
2006-05-19 10:08:32 3052544 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-05-18 00:24:26 450560 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-11 17:28:04 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\Ulead Systems"
2006-05-11 07:06:20 ( .D... ) "C:\Program Files\Common Files\Nero"
2006-05-11 06:39:46 ( .D... ) "C:\Program Files\Windows Media Components"
2006-05-11 06:37:22 ( .D... ) "C:\Program Files\Common Files\Ulead Systems"
2006-05-11 03:23:24 24576 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-05-10 23:04:46 ( .D... ) "C:\Program Files\KWorld Multimedia"
2006-05-10 22:15:30 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\CyberLink"
2006-05-10 22:11:56 ( .D... ) "C:\Program Files\CyberLink"
2006-05-10 00:23:04 658432 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2006-05-10 00:23:02 613888 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-05-10 00:23:02 532480 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2006-05-10 00:23:02 474112 ( A.... ) "C:\WINDOWS\system32\shlwapi.dll"
2006-05-10 00:23:02 448512 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2006-05-10 00:23:02 146432 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2006-05-10 00:23:02 39424 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2006-05-10 00:23:00 1054208 ( A.... ) "C:\WINDOWS\system32\danim.dll"
2006-05-10 00:23:00 1022976 ( A.... ) "C:\WINDOWS\system32\browseui.dll"
2006-05-10 00:23:00 357888 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-10 00:23:00 251392 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
2006-05-10 00:23:00 205312 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2006-05-10 00:23:00 151040 ( A.... ) "C:\WINDOWS\system32\cdfview.dll"
2006-05-10 00:23:00 96256 ( A.... ) "C:\WINDOWS\system32\inseng.dll"
2006-05-10 00:23:00 55808 ( A.... ) "C:\WINDOWS\system32\extmgr.dll"
2006-05-10 00:23:00 16384 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2006-05-09 21:52:26 ( .D... ) "C:\Program Files\XNote Stopwatch"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINDOWS\system32\wmp.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-07 23:33 534,827,008 C:\hiberfil.sys
2006-07-07 05:45 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-07 05:45 11,776 C:\WINDOWS\system32\ZPORT4AS.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AS00_Gear311T"="C:\\Program Files\\NETGEAR\\WG311TSU\\Utility\\Gear311T.exe -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"RemoteControl"="\"f:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"PVR Agent"="C:\\Program Files\\KWorld Multimedia\\PVR Plus\\TVR\\Scheduled.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIA.EXE /P30 \"EPSON Stylus Photo R220 Series\" /M \"Stylus Photo R220\" /EF \"HKCU\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://www.geocities...net/avatar.gif"
"SubscribedURL"="http://www.geocities...net/avatar.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,90,01,00,00,74,01,00,00,50,00,00,00,50,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,d0,03,00,00,74,01,00,00,50,00,00,00,50,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:14,6d,e7,02,41,c0,b4,74,a0,c1,d1,02,68,de,e7,02,20,6d,\
e7,02,a5,d1,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\system\controlset001\control\safeboot\minimal\vds
HKEY_LOCAL_MACHINE\system\controlset001\control\safeboot\minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}
HKEY_LOCAL_MACHINE\system\controlset002\control\safeboot\minimal\vds
HKEY_LOCAL_MACHINE\system\controlset002\control\safeboot\minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Fri 07/07/2006 23:38:46.40
ComboFix ver 06.07.07 - This logfile is located at C:\ComboFix.txt


HijackThis.log
Logfile of HijackThis v1.99.1
Scan saved at 11:53:22 PM, on 7/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Wayne\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


Okay! Where we go next?
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
If you will,right click the desktop and select New--> Compressed (Zipped) Folder

Name it files.zip

Take these 2 and place them in the newly created folder

C:\Program Files\Yahoo!\YPSR\Quarantine\20041130114808203.zip

C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp

Upload that folder Here

If the upload is successful,delete the new folder you just created.



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

  • 0

#9
OTHG_Wayne

OTHG_Wayne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I uploaded those two files you wanted to see.

Then I downloaded and ran F-Secure and the Scan Report is below.

Scanning Report
Saturday, July 08, 2006 10:01:40 - 11:16:06
Computer name: DADDY
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ F:\


--------------------------------------------------------------------------------

Result: 5 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
Trojan.Win32.Crypt.t (virus)
C:\WINDOWS\SYSTEM32\IPVBDNO1.EXE (Renamed & Submitted)
W32/Agent.NMH.dropper (virus)
C:\!KILLBOX\DHAXI.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 28511
System: 6906
Not scanned: 8
Actions:
Disinfected: 1
Renamed: 1
Deleted: 0
None: 3
Submitted: 2
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\ATAPI.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-07-07
F-Secure Libra: 2.4.1, 2006-07-04
F-Secure Orion: 1.2.37, 2006-07-06
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-06-04
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


What is next on our journey?
I am ready and willing to kick the butts of those who infect folks with this stuff.
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
See if you can find and delete the file F-Secure renamed.

C:\WINDOWS\SYSTEM32\IPVBDNO1.EXE

May look like this now-> C:\WINDOWS\SYSTEM32\IPVBDNO1.0XE


Run ComboFix once more and post those results.

Im heading out for a bit,will check in later to see how things are running?
  • 0

Advertisements


#11
OTHG_Wayne

OTHG_Wayne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I found and deleted C:\WINDOWS\SYSTEM32\IPVBDNO1.0XE

Here are the results from the ComboFix I just ran...

Start Time= Sat 07/08/2006 11:58:24.82
Running from: C:\Documents and Settings\Wayne\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-06 00:14:56 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\TrojanHunter"
2006-07-05 23:52:40 59392 ( ....R ) "C:\WINDOWS\system32\streamhlp.dll"
2006-07-05 23:52:32 ( .D... ) "C:\Program Files\TrojanHunter 4.5"
2006-07-05 06:24:02 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-04 22:40:00 ( .D... ) "C:\Program Files\CleanUp!"
2006-06-22 05:47:18 181248 ( A.... ) "C:\WINDOWS\system32\rasmans.dll"
2006-06-21 20:36:10 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\Xfire"
2006-06-09 20:53:56 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\Vso"
2006-06-09 20:46:20 ( .D... ) "C:\Program Files\DVDFab Express"
2006-06-08 20:19:50 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-06 21:45:36 ( .D... ) "C:\Program Files\DVDFab Decrypter"
2006-06-06 06:06:08 ( .D... ) "C:\Program Files\Chord Alchemy 4"
2006-06-01 13:47:08 163840 ( A.... ) "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27648 ( A.... ) "C:\WINDOWS\system32\jgpl400.dll"
2006-05-29 10:30:34 1494016 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-05-22 21:01:26 ( .D... ) "C:\Program Files\Aspect2"
2006-05-21 19:37:16 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\ArcSoft"
2006-05-21 19:14:46 ( .D... ) "C:\Program Files\EPSON Print CD"
2006-05-21 19:09:40 ( .D... ) "C:\Program Files\EPSON"
2006-05-19 20:03:50 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\Ahead"
2006-05-19 10:08:32 3052544 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-05-18 00:24:26 450560 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-11 17:28:04 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\Ulead Systems"
2006-05-11 07:06:20 ( .D... ) "C:\Program Files\Common Files\Nero"
2006-05-11 06:39:46 ( .D... ) "C:\Program Files\Windows Media Components"
2006-05-11 06:37:22 ( .D... ) "C:\Program Files\Common Files\Ulead Systems"
2006-05-11 03:23:24 24576 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-05-10 23:04:46 ( .D... ) "C:\Program Files\KWorld Multimedia"
2006-05-10 22:15:30 ( .D... ) "C:\Documents and Settings\Wayne\Application Data\CyberLink"
2006-05-10 22:11:56 ( .D... ) "C:\Program Files\CyberLink"
2006-05-10 00:23:04 658432 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2006-05-10 00:23:02 613888 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-05-10 00:23:02 532480 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2006-05-10 00:23:02 474112 ( A.... ) "C:\WINDOWS\system32\shlwapi.dll"
2006-05-10 00:23:02 448512 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2006-05-10 00:23:02 146432 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2006-05-10 00:23:02 39424 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2006-05-10 00:23:00 1054208 ( A.... ) "C:\WINDOWS\system32\danim.dll"
2006-05-10 00:23:00 1022976 ( A.... ) "C:\WINDOWS\system32\browseui.dll"
2006-05-10 00:23:00 357888 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-10 00:23:00 251392 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
2006-05-10 00:23:00 205312 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2006-05-10 00:23:00 151040 ( A.... ) "C:\WINDOWS\system32\cdfview.dll"
2006-05-10 00:23:00 96256 ( A.... ) "C:\WINDOWS\system32\inseng.dll"
2006-05-10 00:23:00 55808 ( A.... ) "C:\WINDOWS\system32\extmgr.dll"
2006-05-10 00:23:00 16384 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2006-05-09 21:52:26 ( .D... ) "C:\Program Files\XNote Stopwatch"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINDOWS\system32\wmp.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-07 23:33 534,827,008 C:\hiberfil.sys
2006-07-07 05:45 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-07 05:45 11,776 C:\WINDOWS\system32\ZPORT4AS.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AS00_Gear311T"="C:\\Program Files\\NETGEAR\\WG311TSU\\Utility\\Gear311T.exe -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"RemoteControl"="\"f:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"PVR Agent"="C:\\Program Files\\KWorld Multimedia\\PVR Plus\\TVR\\Scheduled.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIA.EXE /P30 \"EPSON Stylus Photo R220 Series\" /M \"Stylus Photo R220\" /EF \"HKCU\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://www.geocities...net/avatar.gif"
"SubscribedURL"="http://www.geocities...net/avatar.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,90,01,00,00,74,01,00,00,50,00,00,00,50,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,d0,03,00,00,74,01,00,00,50,00,00,00,50,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:14,6d,e7,02,41,c0,b4,74,a0,c1,d1,02,68,de,e7,02,20,6d,\
e7,02,a5,d1,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\system\controlset001\control\safeboot\minimal\vds
HKEY_LOCAL_MACHINE\system\controlset001\control\safeboot\minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}
HKEY_LOCAL_MACHINE\system\controlset002\control\safeboot\minimal\vds
HKEY_LOCAL_MACHINE\system\controlset002\control\safeboot\minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Sat 07/08/2006 11:58:49.45
ComboFix ver 06.07.07 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-08.115824.txt
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Allright,lets see whats leftover!


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#13
OTHG_Wayne

OTHG_Wayne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
WOW, that Kaspersky scan took a while, almost two hours. LOL.

Here's the output...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 09, 2006 6:15:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/07/2006
Kaspersky Anti-Virus database records: 205968
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 74532
Number of viruses found: 20
Number of infected objects: 50 / 0
Number of suspicious objects: 4
Duration of the scan process: 01:56:57

Infected Object Name / Virus Name / Last Action
C:\!KillBox\2504041110.exe/WISE0006.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.c skipped
C:\!KillBox\2504041110.exe/WISE0007.BIN/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.e skipped
C:\!KillBox\2504041110.exe/WISE0007.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.e skipped
C:\!KillBox\2504041110.exe WiseSFX: infected - 3 skipped
C:\!KillBox\2504041110.exe WiseSFX Dropper: infected - 3 skipped
C:\!KillBox\DHaxi.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\!KillBox\DHaxi.exe NSIS: infected - 1 skipped
C:\!KillBox\ezStub3.dll.tcf Infected: not-a-virus:AdWare.Win32.EZula.a skipped
C:\!KillBox\Xcite.dll.tcf Infected: not-a-virus:AdWare.Win32.F1Organizer.m skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Wayne\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Wayne\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Wayne\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Wayne\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Wayne\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Wayne\ntuser.dat Object is locked skipped
C:\Documents and Settings\Wayne\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20041130114808203.zip/Documents and Settings/Wayne/local settings/temp/auf0.exe/data0000.bin Infected: Trojan-Downloader.Win32.Envolo.a skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20041130114808203.zip/Documents and Settings/Wayne/local settings/temp/auf0.exe/data0001.bin Infected: Trojan-Downloader.Win32.Apropo.bb skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20041130114808203.zip/Documents and Settings/Wayne/local settings/temp/auf0.exe Infected: Trojan-Downloader.Win32.Apropo.bb skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20041130114808203.zip ZIP: infected - 3 skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20050829022248.zip/iinstall.exe Suspicious: Password-protected-EXE skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20050829022248.zip ZIP: suspicious - 1 skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20050908031144.zip/iinstall.exe Suspicious: Password-protected-EXE skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20050908031144.zip ZIP: suspicious - 1 skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp Infected: Trojan-Downloader.Win32.Apropo.bd skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp\bundles.exe.tcf Infected: Trojan.Win32.SecondThought.ba skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1044\A0112158.exe/stream/data0139 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1044\A0112158.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1044\A0112158.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1065\A0113851.tlb Infected: Trojan-Downloader.Win32.Zlob.xj skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1066\A0113862.tlb Infected: Trojan-Downloader.Win32.Zlob.xj skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1067\A0113872.tlb Infected: Trojan-Downloader.Win32.Zlob.xj skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1067\A0113879.tlb Infected: Trojan-Downloader.Win32.Zlob.xj skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1067\A0114151.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.aw skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1067\A0114152.exe Infected: Trojan-Downloader.Win32.Zlob.ww skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1067\A0114153.dll Infected: not-a-virus:AdWare.Win32.Sahat.g skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1067\A0114154.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.m skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1067\A0114180.exe Infected: Trojan.Win32.SecondThought.ba skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1067\A0114181.dll Infected: not-a-virus:AdWare.Win32.EZula.a skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1067\A0114182.dll Infected: not-a-virus:AdWare.Win32.F1Organizer.m skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1068\A0114200.dll Infected: Trojan-Dropper.Win32.Agent.of skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1068\A0114236.exe Infected: Trojan-Downloader.Win32.Zlob.xj skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1068\A0114239.exe Infected: Trojan-Downloader.Win32.Zlob.wp skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1068\A0114240.tlb Infected: Trojan-Downloader.Win32.Zlob.xj skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1069\A0114282.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1069\A0114282.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1069\A0114285.exe/WISE0006.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.c skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1069\A0114285.exe/WISE0007.BIN/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.e skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1069\A0114285.exe/WISE0007.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.e skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1069\A0114285.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1069\A0114285.exe WiseSFX Dropper: infected - 3 skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1070\A0114350.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{CF44805D-31AD-44D1-A449-DE4B5EC5E645}\RP1071\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N63M2912NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5_0001_N63M2912NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5_0001_N63M2912NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5_0001_N63M2912NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5_0001_N63M2912NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\367pgrpf.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\g8jb8lir.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\j20mjdtb.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\uk100r6u.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


Let me know what's next.
  • 0

#14
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go to Safe Mode and Open Killbox.

Copy&Paste each entry below,one at a time,into Killbox

C:\WINDOWS\Downloaded Program Files\CONFLICT.1

C:\WINDOWS\Downloaded Program Files\CONFLICT.2

C:\WINDOWS\Downloaded Program Files\CONFLICT.3

C:\WINDOWS\Downloaded Program Files\CONFLICT.4

C:\WINDOWS\Downloaded Program Files\CONFLICT.6

C:\WINDOWS\system32\367pgrpf.ini

C:\WINDOWS\system32\g8jb8lir.ini

C:\WINDOWS\system32\j20mjdtb.ini

C:\WINDOWS\system32\uk100r6u.ini



As you paste each entry in,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


Click the Red Circle with the White X in the Middle to Delete

Do this for each of the above entries please.


Restart Normal and Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools.../downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore

Post back and let me know how things are?
  • 0

#15
OTHG_Wayne

OTHG_Wayne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I believe everything looks very clean. Hijacks have stopped and there is no other signs that there is anything lurking in my system somewhere. If the reports I've been sending look good, then I'd say the "CLEAN" is complete.

Many thanks and may blessings be heaped upon you.

Well DONE! :whistling:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP