Cowabanga, BraveSentry, ActiveX and Look2Me are causing me problems&nb

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Cowabanga, BraveSentry, ActiveX and Look2Me are causing me problems&nb I've done everything I can think of, Could it be time to re-format

#1 Retta

Group: Member
Posts: 33
Joined: 20-August 06

Posted 22 August 2006 - 01:26 AM

My problem is fairly simple, one of my younger siblings downloaded a game called “Cowbanga” onto our computer. Now it has a pretty much continuous stream of pop-ups and sometimes will sudenly decide to shut down. I have used 'Spy-Bot: Search and Destroy', 'ewido', 'Ad-aware SE Personal', 'CleanUp!' and 'CWShredder', and they have helped. But they havent helped nearly enough. I tried the 'A-Squared' and that shut down every time I tried to delete things. Also, that Panda thing wouldnt start downloading. I have also tried ‘Trojan Hunter’ which seems to be doing what it’s supposed to, but is having trouble keeping these things off my computer. ‘Spy-Bot – Search and Destroy’ should also do that but has failed to so far.

I did what you told me to in the direction as much as I could. My computer wouldn’t let me do either of the online scans. Upon Figuring out that they werent going to work I moved on to checking for updates for my computer. This also failed, though it was no surprise because we havent been able to correctly download updates for some time now. Following your steps, I rebooted and, though it was better, I was still getting pop-ups and still having things detected on the scans.

Also, every time I turn my computer on/reboot it it comes up with an error:
the title is: 'RUNDLL'
then it says: 'Error loading w1d952f5.dll
The specific module could not be found.'

I know I had all of these threats on my computer, but I’m not sure if they are still there:
Cowabanga
Mirar
BraveSentry
WinAntiVirus2006
ActiveX
System Doctor 2006
Look2Me
QooLogic
SpySheriff
Zedo
Among several others…

Logfile of HijackThis v1.99.1
Scan saved at 10:12:14 PM, on 8/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TmFuY3kgU3VybWE\command.exe
C:\Documents and Settings\Nancy\My Documents\security suite\ewidoctrl.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\plsxcnfA.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\xload.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\sys101010110708.exe
C:\WINDOWS\System32\90036491.exe
C:\nwnmff_12.exe
C:\dfndrff_12.exe
C:\kybrdff_12.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\TEMP\73.tmp3072.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Nancy\My Documents\download\sunken\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\bbfre.exe
F2 - REG:system.ini: UserInit=userinit.exe,lwmvopq.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [alav] C:\WINDOWS\alav.exe
O4 - HKLM\..\Run: [gdfehmal] C:\WINDOWS\System32\gdfehmal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [=TPM] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [SDiskDaemon] C:\WINDOWS\sdiskmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [baqpav] C:\WINDOWS\System32\llzguvr.exe r
O4 - HKLM\..\Run: [plsxcnfA] C:\WINDOWS\plsxcnfA.exe
O4 - HKLM\..\Run: [ehz32db1] RUNDLL32.EXE w1d952f5.dll,n 00332dae000000031d952f5
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [sys101010110708] C:\WINDOWS\sys101010110708.exe
O4 - HKLM\..\Run: [90036491.exe] C:\WINDOWS\System32\90036491.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_12.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_12.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_12.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [dmbtex] C:\WINDOWS\System32\dmbtex.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [90036491.exe] C:\Documents and Settings\Nancy\Local Settings\Application Data\90036491.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\TEMP\73.tmp3072.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoc....reeInstall.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemed...s/mediaview.cab
O20 - Winlogon Notify: FS Templates - C:\WINDOWS\system32\m6nq0g55e6.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmFuY3kgU3VybWE\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Nancy\My Documents\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)

Thank you so much for your help.

#2 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 22 August 2006 - 04:01 AM

Hello Nancy and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans. Let’s see what we can do in removing the format option, it might take a few hits.

You do not appear to have any antivirus programme running on your PC; we must correct that immediately.

Download:
AVG ANTIVIRUS FREE EDITION

Install AVG, update its virus definitions and perform a full system scan before proceeding any further.

Please disable Trojan Hunter. Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue icon with a magnifying glass that can be difficult to see but the handle is red. Right click it and select settings. Uncheck Load at startup and Enabled

Please uninstall Ewido since the version you have is out of date. We can download an updated version which will give you a fresh 30-day trial.

Look in your Control Panel’s Add/Remove Programs for:
PuritySCAN By OIN,
OuterInfo,
OIN or similar
Yazzle by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it. , click on it and click remove.

Reboot and delete this folder if found: C:\Program Files\PurityScan\

If it is not listed, download and run this uninstaller: outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

Please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
Ewido Anti Spyware
CWShredder
cwsserviceemove.reg file
combofix.exe

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

Command Service (cmdService)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

cmdService

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Please install, and update Ewido anti-spyware

Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Deselect "Only if threats were found"
- Close Ewido. Do not run it yet.

Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

In Safe Mode, load Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
Please ensure you post that log in your reply.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\bbfre.exe
F2 - REG:system.ini: UserInit=userinit.exe,lwmvopq.exe
O4 - HKLM\..\Run: [alav] C:\WINDOWS\alav.exe
O4 - HKLM\..\Run: [gdfehmal] C:\WINDOWS\System32\gdfehmal.exe
O4 - HKLM\..\Run: [=TPM] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [SDiskDaemon] C:\WINDOWS\sdiskmon.exe
O4 - HKLM\..\Run: [baqpav] C:\WINDOWS\System32\llzguvr.exe r
O4 - HKLM\..\Run: [plsxcnfA] C:\WINDOWS\plsxcnfA.exe
O4 - HKLM\..\Run: [ehz32db1] RUNDLL32.EXE w1d952f5.dll,n 00332dae000000031d952f5
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [sys101010110708] C:\WINDOWS\sys101010110708.exe
O4 - HKLM\..\Run: [90036491.exe] C:\WINDOWS\System32\90036491.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_12.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_12.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_12.exe
O4 - HKCU\..\Run: [dmbtex] C:\WINDOWS\System32\dmbtex.exe
O4 - HKCU\..\Run: [90036491.exe] C:\Documents and Settings\Nancy\Local Settings\Application Data\90036491.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\TEMP\73.tmp3072.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoc....reeInstall.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemed...s/mediaview.cab
O20 - Winlogon Notify: FS Templates - C:\WINDOWS\system32\m6nq0g55e6.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmFuY3kgU3VybWE\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items.

Please reboot normally

Please install Killbox by Option^Explicit.

Please double-click Killbox.exe to run it.
Select Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\TmFuY3kgU3VybWE\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\plsxcnfA.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\sys101010110708.exe
C:\WINDOWS\System32\90036491.exe
C:\nwnmff_12.exe
C:\dfndrff_12.exe
C:\kybrdff_12.exe
C:\WINDOWS\TEMP\73.tmp3072.exe
C:\Program Files\Deskbar\deskbar.dll
C:\WINDOWS\System32\bbfre.exe
c:\windows\system32\lwmvopq.exe
C:\WINDOWS\alav.exe
C:\WINDOWS\System32\gdfehmal.exe
C:\windows\mrjj.exe
C:\WINDOWS\dinst.exe
C:\WINDOWS\sdiskmon.exe
C:\WINDOWS\System32\llzguvr.exe
c:\windows\system32\w1d952f5.dll
C:\WINDOWS\System32\dmbtex.exe
C:\Documents and Settings\Nancy\Local Settings\Application Data\90036491.exe
c:\windows\system32\stonedrv.exe
C:\WINDOWS\system32\m6nq0g55e6.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Applications uncheck Ewido Security Suite log then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look. (3 logs in total please)

#3 Retta

Group: Member
Posts: 33
Joined: 20-August 06

Posted 22 August 2006 - 02:28 PM

yeah... i dont have cmdService on Services.msc...
is there somewhere else i should look? or am i doing it wrong.

#4 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 22 August 2006 - 03:00 PM

No I'm sure you are not doing anything wrong, it's just malware and its foibles. Try doing it this way just in case it is hidden, but just continue with the rest of the fix please.

Go to Start > Run and type or copy & paste this into the Run box:

sc delete cmdService

Hit ENTER

#5 Retta

Group: Member
Posts: 33
Joined: 20-August 06

Posted 22 August 2006 - 07:37 PM

Here's the Log from 'Ewido'

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:19:54 PM 8/22/2006

+ Scan result:

HKU\S-1-5-21-1275210071-789336058-682003330-500\Software\aurora -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203975.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203976.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\TmFuY3kgU3VybWE\asappsrv.dll.tcf -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\TmFuY3kgU3VybWE\command.exe.tcf -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203098.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203099.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203101.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203102.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203118.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203121.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203128.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203272.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203520.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203524.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203529.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203533.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203550.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203554.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203572.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203893.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203905.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203915.exe.tcf -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203930.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203937.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203978.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203992.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203993.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204005.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204006.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204008.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204009.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\aytiveds.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\guard.tmp -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\narszht.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203106.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\amm06.ocx.tcf -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\amm06.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1275210071-789336058-682003330-500\Software\WebInstall -> Adware.NetworkEssentials : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203103.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203570.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203573.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203110.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203113.dll.tcf -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203997.DLL -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204000.EXE -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204001.EXE -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204002.EXE -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204007.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203912.exe.tcf -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP516\A0199725.exe.tcf -> Downloader.Small.dnk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0201053.exe.tcf -> Downloader.Small.dnk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0202111.exe.tcf -> Downloader.Small.dnk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203105.exe -> Downloader.VB.akq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203117.exe -> Downloader.VB.akq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203545.exe -> Downloader.VB.akq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0203999.exe -> Downloader.VB.akq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203104.exe -> Downloader.VB.nw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP520\A0204003.exe -> Downloader.VB.wz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203111.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\popup[1].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Local Settings\Temporary Internet Files\Content.IE5\XZJ7TPKE\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D18M2707NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203109.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Local Settings\Temporary Internet Files\Content.IE5\F4WG49QF\klite.ath[1] -> Not-A-Virus.Exploit.Win32.MS05013 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP519\A0203955.EXE.tcf -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP516\A0199746.exe -> Proxy.Lager.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0201064.exe -> Proxy.Lager.a : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\taskdir.exe_tobedeleted -> Proxy.Lager.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0201065.exe -> Proxy.Lager.cy : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Nancy Surma\Cookies\nancy surma@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203100.exe.tcf -> Trojan.Dialer.pw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203107.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5617E91-B3FB-4CE2-BC74-B772B8AFFDCC}\RP518\A0203108.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).

::Report end

Here's the one from 'combofix':

Nancy Surma - 06-08-22 18:20:39.14
ComboFix 06.08.18 - Running from: C:\Program Files\MSN\MSNCoreFiles

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\Duce6.exe
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\teller2.chk
C:\WINDOWS\winsysupd101.dat
C:\dfndrff_12.exe
C:\drsmartload.exe
C:\drsmartload45a3344a.exe
C:\drsmartload46a3344a.exe
C:\drsmartload849a3344a.exe
C:\kybrdff_12.exe
C:\MTE3NDI6ODoxNg.exe
C:\nwnmff_12.exe
C:\Documents and Settings\Nancy Surma\Local Settings\Temporary Internet Files\Content.IE5\K3TRUY71\drsmartload849a[1].exe
C:\deskbar.exe
C:\Installer3.exe
C:\mte3ndi6odoxng.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\SYSTEM32\atmtd.dll
C:\WINDOWS\SYSTEM32\atmtd.dll._
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\winupdates
C:\WINDOWS\Duce6.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\Duce6.exe
C:\WINDOWS\Duce6.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar
C:\Program Files\network monitor
C:\WINDOWS\Duce6.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\Deskbar
C:\Program Files\network monitor
C:\WINDOWS\TmFuY3kgU3VybWE
C:\Program Files\Deskbar
C:\Program Files\network monitor
C:\WINDOWS\TmFuY3kgU3VybWE
C:\Program Files\Deskbar
C:\Program Files\network monitor
C:\WINDOWS\TmFuY3kgU3VybWE
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\SSEMBL~1

((((((((((((((((((((((((((((((( Files Created from 2006-07-22 to 2006-08-22 ))))))))))))))))))))))))))))))))))

2006-08-22 18:09 106,496 C:\WINDOWS\Duce6.exe
2006-08-22 13:20 159,744 C:\WINDOWS\win32080810101107.exe
2006-08-20 17:37 53,248 C:\WINDOWS\system32\Process.exe
2006-08-20 17:37 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-20 17:37 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-20 17:37 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-20 16:37 0 C:\WINDOWS\test3.exe
2006-08-19 23:24 0 C:\WINDOWS\system32\wancp.dll
2006-08-18 19:37 57,344 C:\WINDOWS\system32\senssrv.dll
2006-08-18 18:12 2,560 C:\WINDOWS\_MSRSTRT.EXE
2006-08-18 16:15 1,060,864 C:\WINDOWS\system32\mfc71.dll
2006-08-18 16:11 186,223 C:\WINDOWS\srvifhtukd.exe
2006-08-18 16:11 1,167 C:\WINDOWS\system32\ehz32db1.sys
2006-08-18 16:10 459 C:\WINDOWS\jnuuu.dll
2006-08-18 16:09 115,160 C:\WINDOWS\Eim03.exe
2006-08-14 17:52 78,848 C:\WINDOWS\system32\nst2B.dll

And here's the one from Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 6:34:15 PM, on 8/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\win32080810101107.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Documents and Settings\Nancy Surma\My Documents\download\sunkensoul\HijackThis.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [win32080810101107] C:\WINDOWS\win32080810101107.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)

#6 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 23 August 2006 - 02:09 AM

Hello again

Thank you for the logs provided, we will clear the restore points later in a future fix.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O4 - HKLM\..\Run: [win32080810101107] C:\WINDOWS\win32080810101107.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click on Fix Checked when finished and exit HijackThis.

Please install Killbox by Option^Explicit.

Please double-click Killbox.exe to run it.
Select Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\win32080810101107.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\wancp.dll
C:\WINDOWS\system32\senssrv.dll
C:\WINDOWS\srvifhtukd.exe
C:\WINDOWS\system32\ehz32db1.sys
C:\WINDOWS\jnuuu.dll
C:\WINDOWS\Eim03.exe
C:\WINDOWS\system32\nst2B.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

#7 Retta

Group: Member
Posts: 33
Joined: 20-August 06

Posted 24 August 2006 - 02:20 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:18:02 AM, on 8/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Documents and Settings\Nancy\My Documents\download\sunken\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{996C239D-142F-408A-97A1-850F19271E6C}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)

#8 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 24 August 2006 - 02:30 AM

Hello again

The log looks very good, but because the topic title includes Brave Sentry, I am going to request one more scan to be sure.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder (right click and choose Extract All) and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy & paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Note : process.exe is detected by some antivirus programmes (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a programme used to stop system processes. Antivirus programmes cannot distinguish between "good" and "malicious" use of such programmes, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#9 Retta

Group: Member
Posts: 33
Joined: 20-August 06

Posted 24 August 2006 - 02:34 AM

SmitFraudFix v2.81

Scan done at 1:33:08.00, Thu 08/24/2006
Run from C:\Documents and Settings\Nancy Surma\My Documents\download\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nancy Surma\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\NANCYS~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Windows Media Player\\podo.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\NetMeeting\\mebeqa.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="file:///C:/WINDOWS/Temporary%20Internet%20Files/Content.IE5/O9GX6RGT/promodll%5B1%5D.dll_GetPromo_El_img_3b_SG__RAND_72590"
"SubscribedURL"="file:///C:/WINDOWS/Temporary%20Internet%20Files/Content.IE5/O9GX6RGT/promodll%5B1%5D.dll_GetPromo_El_img_3b_SG__RAND_72590"
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

#10 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 24 August 2006 - 02:43 AM

Congratulations! your new log is clean.

Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.

2. Reboot.

3. Turn ON System Restore.

MOST IMPORTANT: You should update Windows and Internet Explorer to get all the latest Security Patches to protect your computer from the malware that is around on the internet.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
WINDOWS DEFENDER - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programme for “on demand” scanning, having two or more antivirus systems is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated.

It just remains for me to wish you happy safe surfing; I hope you found my advice helpful.

#11 Retta

Group: Member
Posts: 33
Joined: 20-August 06

Posted 24 August 2006 - 03:17 AM

Thank you, I really did find it helpful.

I'm pretty sure I would have re-formatted my computer by now without your help. And that would have sucked... a lot.

I will download all those things you recomended and keep them as up-to-date as I can. Then, hopefully, I wont be needed your help anytime soon.

Thanks again,
~Retta

#12 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 24 August 2006 - 03:30 AM

You are very welcome.

I will leave this thread open for a few days in case of misfortune.

#13 Retta

Group: Member
Posts: 33
Joined: 20-August 06

Posted 24 August 2006 - 03:31 AM

thanks, though i hope i dont need it^.^

#14 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 24 August 2006 - 03:35 AM

I hope so too, but you never really know.

#15 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 03 September 2006 - 02:45 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

Cowabanga, BraveSentry, ActiveX and Look2Me are causing me problems&nb - Geeks to Go Forums