Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't remove spyware (seeing "MediaMotor" and others)


  • Please log in to reply

#1
popechild

popechild

    Member

  • Member
  • PipPip
  • 20 posts
I'm really hoping someone here can help me! I opened a file I shouldn't have yesterday and immediately knew I'd made a boo-boo. I'm getting lots of pop-ups, re-directs, other evidence of spyware, etc. I did as much as I could myself to try to remove everything, but can't seem to weed it all out.

This is a relatively new build of a machine, and I don't do much internet surfing on it normally, so I hadn't yet installed NAV on it unfortunately. Have never had problems before the one unfortunate download yesterday.

I've run the latest Ad-Aware multiple times. Started out seeing 100+ entries, have it down to only one now (MediaMotor). Same thing with the latest Spybot S&D - seems to have cleaned everything off but am still getting 2 entries for MediaMotor. Both programs appear to remove it successfully, but it comes back every time after a reboot.

Installed Windows Defender and it keeps popping up a warning about "TagAsaurus", which I remove, but the warning keeps popping up.

Installed ewido and ran in Safe Mode (after doing Ad-Aware and Spybot multiple times). It found lots of stuff that didn't show up in the others, appeared to quarantine it correctly, but after a reboot I still see the popups and Spybot still shows MediaMotor.

Also, don't know if these issues are related or not, but every time I reboot the computer (since I started trying to fix the problems last night) I'm getting a RunDLL error ("Error loading w0396490.dll. The specified module could not be found.") popping up. Also, I tried to install NAV 2006 after all this started and the preinstall scan fails (with no specific error message - it just says it has failed) and it won't let me install. Like I said, not sure if those issues are related or not.

Not sure what else I should do, or what info would be helpful - let me know and I'll be happy to do it. Here's the post of my most recent HJT log file:

****************************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 3:33:25 PM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hvd177af] RUNDLL32.EXE w0396490.dll,n 004177ab000000020396490
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [84557daa.exe] C:\Documents and Settings\Matt\Local Settings\Application Data\84557daa.exe
O4 - HKCU\..\Run: [wmfm] C:\PROGRA~1\COMMON~1\wmfm\wmfmm.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{85FD8C2C-825B-4456-8137-D1F8F8814AEA}: NameServer = 192.168.1.1,192.168.1.2
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
  • 0

Advertisements


#2
popechild

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
After reading other threads, I decided to download and run ComboFix. Here's the log file:


Matt - 06-09-06 15:42:28.26
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Matt\My Documents\Installation Files\Spyware Removal Programs\ComboFix

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Matt\Application Data\Sskdmns.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\adrot-uninst.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\justin.exe
C:\WINDOWS\system32\ixt1.dll
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{2490128B-08A2-1033-0207-061129050001}
C:\WINDOWS\Duce6.exe


((((((((((((((((((((((((((((((( Files Created from 2006-08-06 to 2006-09-06 ))))))))))))))))))))))))))))))))))


2006-09-06 09:24 711,883 ---hs---- C:\WINDOWS\system32\fgjlm.ini2
2006-09-06 00:33 215,308 --a------ C:\WINDOWS\Setup90.exe
2006-09-06 00:33 1,233 --a------ C:\WINDOWS\system32\hvd177af.sys
2006-09-05 15:52 706,618 ---hs---- C:\WINDOWS\system32\fgjlm.bak1
2006-09-05 15:52 692,276 ---hs---- C:\WINDOWS\system32\mljgf.dll
2006-09-05 15:52 131,092 --a------ C:\WINDOWS\system32\vopjioxu.exe
2006-09-05 15:47 5,120 --a------ C:\WINDOWS\system32\ismini.exe
2006-09-05 15:47 18,944 --a------ C:\WINDOWS\system32\winrvc32.dll
2006-09-05 08:52 78,848 --a------ C:\WINDOWS\system32\nsh1D.dll
2006-08-28 14:10 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-08-28 14:10 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-08-12 10:08 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2006-08-12 10:07 974,848 --a------ C:\WINDOWS\system32\MFC70.DLL
2006-08-12 10:07 964,608 --a------ C:\WINDOWS\system32\MFC70U.DLL
2006-08-12 10:07 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2006-08-12 10:07 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2006-08-12 10:07 61,440 --a------ C:\WINDOWS\system32\MFC71FRA.DLL
2006-08-12 10:07 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2006-08-12 10:07 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2006-08-12 10:07 54,784 --a------ C:\WINDOWS\system32\MSVCI70.DLL
2006-08-12 10:07 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2006-08-12 10:07 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2006-08-12 10:07 487,424 --a------ C:\WINDOWS\system32\MSVCP70.DLL
2006-08-12 10:07 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2006-08-12 10:07 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2006-08-12 10:07 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.DLL
2006-08-08 16:21 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2006-08-08 16:21 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2006-08-08 16:21 152,576 --a------ C:\WINDOWS\system32\irftp.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-06 15:43 -------- d-------- C:\Program Files\Common Files
2006-09-06 13:53 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-06 13:47 -------- d-------- C:\Program Files\Common Files\wmfm
2006-09-06 13:23 -------- d-------- C:\Program Files\Internet Explorer
2006-09-06 13:15 -------- d-------- C:\Program Files\Windows Defender
2006-09-06 13:09 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-06 03:17 -------- d-------- C:\Program Files\Ad-Aware
2006-09-06 02:40 -------- d-------- C:\Program Files\Symantec
2006-09-06 02:40 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-06 01:45 -------- d-------- C:\Documents and Settings\Matt\Application Data\Lavasoft
2006-09-06 01:32 -------- d-------- C:\Program Files\Bazooka Scanner
2006-09-05 15:52 4096 --a------ C:\WINDOWS\system32\drivers\MmedFilter.sys
2006-09-05 15:43 -------- d-------- C:\Program Files\VideoReDoPlus
2006-09-05 14:28 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-08-30 16:28 -------- d-------- C:\Program Files\iCoverArt
2006-08-30 09:15 -------- d-------- C:\Documents and Settings\Matt\Application Data\pe explorer
2006-08-30 09:14 -------- d-------- C:\Program Files\PE Explorer
2006-08-29 19:21 -------- d---s---- C:\Documents and Settings\Matt\Application Data\Microsoft
2006-08-28 19:44 -------- d-------- C:\Program Files\ObjectDock
2006-08-28 19:43 -------- d-------- C:\Program Files\Common Files\Stardock
2006-08-28 15:21 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-08-28 15:21 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-28 15:21 -------- d-------- C:\Program Files\Common Files\Designer
2006-08-28 15:20 -------- d-------- C:\Program Files\Common Files\System
2006-08-28 15:20 -------- d-------- C:\Documents and Settings\Matt\Application Data\Help
2006-08-28 15:19 -------- d-------- C:\Program Files\Microsoft Office
2006-08-28 15:11 -------- d-------- C:\Program Files\UnPacker
2006-08-28 14:10 -------- d-------- C:\Program Files\XviD
2006-08-26 15:26 -------- d-------- C:\Program Files\The Tournament Director 2
2006-08-24 17:55 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-24 17:47 -------- d-------- C:\Program Files\Pinnacle
2006-08-24 16:26 -------- d-------- C:\Program Files\PartyGaming.Net
2006-08-22 20:05 -------- d-------- C:\Program Files\DivX
2006-08-22 19:10 -------- d-------- C:\Program Files\SageTV XMLTV Importer
2006-08-22 15:09 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-22 14:21 -------- d-------- C:\Documents and Settings\Matt\Application Data\Mozilla
2006-08-21 10:45 -------- d-------- C:\Program Files\WMR11
2006-08-19 09:47 -------- d-------- C:\Program Files\PartyGaming
2006-08-15 10:46 -------- d-------- C:\Program Files\DirMon2
2006-08-15 10:42 -------- d-------- C:\Program Files\ComSkip
2006-08-12 13:19 -------- d-------- C:\Program Files\VirtualDub
2006-08-12 10:08 95 --a------ C:\AUTOEXEC.BAT
2006-08-10 09:26 -------- d-------- C:\Program Files\Gabest
2006-08-10 09:23 -------- d-------- C:\Program Files\Diskeeper Corporation
2006-08-10 09:23 -------- d-------- C:\Program Files\BroadJump
2006-08-10 09:22 -------- d-------- C:\Program Files\AviSynth 2.5
2006-08-08 17:06 -------- d-------- C:\Program Files\palmOne
2006-08-08 16:27 -------- d-------- C:\Documents and Settings\Matt\Application Data\Leadertech
2006-08-08 16:26 -------- d-------- C:\Documents and Settings\Matt\Application Data\HotSync
2006-08-08 15:29 -------- d-------- C:\Program Files\MozBackup
2006-08-08 15:16 -------- d-------- C:\Documents and Settings\Matt\Application Data\Talkback
2006-08-08 15:15 -------- d-------- C:\Documents and Settings\Matt\Application Data\Thunderbird
2006-08-07 21:41 -------- d-------- C:\Program Files\WinPcap
2006-08-04 20:40 -------- d-------- C:\Program Files\ShowAnalyzer
2006-08-04 08:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 08:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-07-26 19:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-25 13:44 -------- d-------- C:\Program Files\SageTV
2006-07-24 11:27 339 --a------ C:\Documents and Settings\Matt\Application Data\AutoGK.ini
2006-07-24 10:12 -------- d-------- C:\Program Files\DECCHECK
2006-07-21 09:41 -------- d-------- C:\Program Files\ImgBurn
2006-07-20 14:46 -------- d-------- C:\Program Files\NVIDIA Corporation
2006-07-18 18:26 -------- d-------- C:\Program Files\FLVPlayer
2006-07-18 18:07 -------- d-------- C:\Documents and Settings\Matt\Application Data\GeoVid
2006-07-18 18:02 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-07-13 17:18 -------- d-------- C:\Program Files\No-IP
2006-07-12 15:32 -------- d-------- C:\Program Files\Cleaner 5 EZ
2006-07-12 15:31 -------- d-------- C:\Program Files\Windows Media Components
2006-07-12 15:30 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-12 15:30 -------- d-------- C:\Program Files\Adobe
2006-07-12 14:49 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-07-12 14:49 -------- d-------- C:\Program Files\SnapStream Media
2006-07-12 14:20 -------- d-------- C:\Program Files\DivFix
2006-07-11 12:04 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-07-11 11:56 -------- d-------- C:\Documents and Settings\Matt\Application Data\Google
2006-07-03 14:40 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 14:40 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 14:40 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 14:40 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-21 03:49 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-06-21 03:43 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-06-21 03:42 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-06-21 03:42 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-06-21 03:34 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-06-21 03:34 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-06-21 03:34 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-06-21 03:34 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-06-21 03:34 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-06-21 03:33 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-06-21 03:33 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-06-20 12:58 62 --ahs---- C:\Documents and Settings\Matt\Application Data\desktop.ini
2006-06-20 12:16 875 --a------ C:\Documents and Settings\Matt\Application Data\AdobeDLM.log
2006-06-20 12:16 0 --a------ C:\Documents and Settings\Matt\Application Data\dm.ini
2006-06-20 08:49 0 -rahs---- C:\MSDOS.SYS
2006-06-20 08:49 0 -rahs---- C:\IO.SYS
2006-06-20 08:49 0 --a------ C:\CONFIG.SYS


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"Logitech Utility"="Logi_MwX.Exe"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"hvd177af"="RUNDLL32.EXE w0396490.dll,n 004177ab000000020396490"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"84557daa.exe"="C:\\Documents and Settings\\Matt\\Local Settings\\Application Data\\84557daa.exe"
"wmfm"="C:\\PROGRA~1\\COMMON~1\\wmfm\\wmfmm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,f3,00,00,00,00,00,00,00,cd,03,00,00,86,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D3B3C51E-8D11-4667-85B9-0930F519BED7}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ehTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ehtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ehome\\ehtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrvc32



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060906-112514-453
O15 - Trusted Zone: *.mmohsix.com
backup-20060906-112514-996
O15 - Trusted Zone: *.media-motor.net
backup-20060906-112514-216
O15 - Trusted Zone: *.elitemediagroup.net
backup-20060906-112349-670
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Defrag C.job
C:\WINDOWS\tasks\Defrag D.job
C:\WINDOWS\tasks\Defrag E.job
C:\WINDOWS\tasks\MovieTimes.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\SageTV XMLTV Import Task.job
C:\WINDOWS\tasks\UpdateListings-US.job

Completion time: Wed 09/06/2006 15:45:38.43
ComboFix.txt
  • 0

#3
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Download the thirty day free trial of Kaspersky Anti-Virus from one of the locations here.
Download the manual for the program from one of the locations here.
  • Read the manual first!
  • Install the program.
  • Update it.
  • Run a full scan and allow KAV to delete everything it finds.
  • Post a report from KAV - the manual will explain how.
  • Also post a fresh HJT log.
  • Finally, run HJT and click on Open the Misc Tools section.
    In the next window, click on Open Uninstall Manager...
    In the final window, click on Save list... and save it to your Desktop.
    Copy and paste this file: uninstall_list.txt into your next reply.

  • 0

#4
popechild

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Ran KAV. Found a bunch of stuff and seemed to complete successfully. Still getting the pop-ups.

KAV report:

Scan My Computer
----------------
Scanned: 248236
Detected: 66
Untreated: 0
Start time: 9/6/2006 7:34:55 PM
Duration: 01:01:25
Finish time: 9/6/2006 8:36:20 PM


Detected
--------
Status Object
------ ------
not found: Trojan program Trojan.Win32.Agent.vg Running module: winlogon.exe\winrvc32.dll
deleted: virus Packed.Win32.Klone.g File: C:\WINDOWS\SYSTEM32\WINRVC32.DLL/PE_Patch.PECompact/PecBundle/PECompact
deleted: Trojan program Trojan-Downloader.Win32.Zlob.adt File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0027797.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aiq File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0027799.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aiq File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0027800.dll
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0027810.exe/PE_Patch.UPX/UPX
deleted: adware not-a-virus:AdWare.Win32.Agent.y File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0027820.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.adt File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0027821.exe
deleted: Trojan program Trojan.Win32.VB.tg File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0027825.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.adt File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0027831.exe
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0027832.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0027845.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Zlob.adt File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0027846.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.adt File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0028064.exe
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0028065.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Zlob.adt File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0028087.exe
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0028089.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Zlob.adt File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0028104.exe
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP155\A0028106.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Agent.aol File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028116.dll/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Zlob.adt File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028118.exe
deleted: malware not-virus:Hoax.Win32.Renos.ds File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028120.dll/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028136.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028148.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028157.exe/PE_Patch.UPX/UPX
deleted: adware not-a-virus:AdWare.Win32.SurfSide.ay File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028174.exe/InpB/SskBho.dll
deleted: adware not-a-virus:AdWare.Win32.SurfSide.ay File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028174.exe/InpB/SskCore.dll
deleted: adware not-a-virus:AdWare.Win32.SurfSide.av File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028174.exe/InpB/Ssk.exe
deleted: adware not-a-virus:AdWare.Win32.SurfSide.az File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028174.exe/InpB/Ssk3RepairInstall.exe
deleted: adware not-a-virus:AdWare.Win32.SurfSide.ap File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028176.dll
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028181.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028196.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028202.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028231.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028248.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028270.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028280.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP156\A0028290.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.TSUpdate.f File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028316.exe/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028317.exe/PE_Patch.UPX/UPX
deleted: adware not-a-virus:AdWare.Win32.Agent.ag File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028318.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.y File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028319.exe
deleted: Trojan program Trojan-Downloader.Win32.TSUpdate.n File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028320.exe/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028325.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Small.buy File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028326.exe/UPX
deleted: Trojan program Trojan-Downloader.Win32.Small.cyh File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028327.exe
deleted: Trojan program Trojan-Downloader.Win32.Agent.awb File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028328.dll/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.TSUpdate.l File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028329.exe/UPX
deleted: Trojan program Trojan-Downloader.Win32.TSUpdate.r File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028330.exe/UPX
deleted: Trojan program Trojan.Win32.VB.tg File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028331.exe
deleted: Trojan program Trojan.Win32.VB.tg File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028332.exe
deleted: Trojan program Trojan.Win32.VB.tg File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028333.exe
deleted: adware not-a-virus:AdWare.Win32.MediaMotor.p File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028336.ocx
deleted: adware not-a-virus:AdWare.Win32.TrafficSol.c File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP159\A0028337.dll/PE_Patch.UPX/UPX
deleted: virus Packed.Win32.Klone.g File: C:\System Volume Information\_restore{C3C9BEB6-AFEB-4296-83AE-9A641B4EDBED}\RP168\A0028534.dll/PE_Patch.PECompact/PecBundle/PECompact
deleted: adware not-a-virus:AdWare.Win32.TrafficSol.c File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\08UT2GG5\ebo_1.0.3.9[1].exe/stream/data0001/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Small.buy File: C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\1GWVTXC1\104[1].net/stream/data0002/UPX
deleted: Trojan program Trojan-Downloader.Win32.TSUpdate.o File: C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\49U74LYB\103[1].net/stream/data0002/UPX
deleted: Trojan program Trojan-Downloader.Win32.VB.afa File: C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\OTIVKDI7\111[1].net/stream/data0002
deleted: Trojan program Trojan-Downloader.Win32.Zlob.adt File: C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\VRTN3L8O\l11[1].exe/PE_Patch/UPack
deleted: Trojan program Trojan-Clicker.HTML.Agent.a File: C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\VRTN3L8O\popup[1].htm
deleted: Trojan program Trojan.Win32.VB.tg File: C:\WINDOWS\Setup90.exe/data0002
deleted: Trojan program Trojan.Win32.VB.tg File: C:\WINDOWS\Setup90.exe/data0005
deleted: Trojan program Trojan.Win32.VB.tg File: C:\WINDOWS\Setup90.exe/data0006
deleted: Trojan program Trojan-Downloader.Win32.Zlob.adt File: C:\WINDOWS\system32\ishost.exe_tobedeleted
deleted: Trojan program Trojan-Downloader.Win32.Zlob.adt File: C:\WINDOWS\system32\ismini.exe


Events
------
Time Name Status Reason
---- ---- ------ ------
9/6/2006 5:39:56 PM Running module: smss.exe\smss.exe ok scanned
9/6/2006 5:40:00 PM File: C:\WINDOWS\System32\smss.exe ok scanned
9/6/2006 5:40:03 PM Running module: smss.exe\ntdll.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\ntdll.dll ok scanned
9/6/2006 5:40:04 PM Running module: csrss.exe\csrss.exe ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\csrss.exe ok scanned
9/6/2006 5:40:04 PM Running module: csrss.exe\ntdll.dll ok iChecker
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\ntdll.dll ok iSwift
9/6/2006 5:40:04 PM Running module: csrss.exe\CSRSRV.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\CSRSRV.dll ok scanned
9/6/2006 5:40:04 PM Running module: csrss.exe\basesrv.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\basesrv.dll ok scanned
9/6/2006 5:40:04 PM Running module: csrss.exe\winsrv.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\winsrv.dll ok scanned
9/6/2006 5:40:04 PM Running module: csrss.exe\GDI32.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\GDI32.dll ok scanned
9/6/2006 5:40:04 PM Running module: csrss.exe\KERNEL32.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\KERNEL32.dll ok scanned
9/6/2006 5:40:04 PM Running module: csrss.exe\USER32.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\USER32.dll ok scanned
9/6/2006 5:40:04 PM Running module: csrss.exe\sxs.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\sxs.dll ok scanned
9/6/2006 5:40:04 PM Running module: csrss.exe\ADVAPI32.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\ADVAPI32.dll ok scanned
9/6/2006 5:40:04 PM Running module: csrss.exe\RPCRT4.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\RPCRT4.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\winlogon.exe ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\winlogon.exe ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\ntdll.dll ok iChecker
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\ntdll.dll ok iSwift
9/6/2006 5:40:04 PM Running module: winlogon.exe\kernel32.dll ok iChecker
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\kernel32.dll ok iSwift
9/6/2006 5:40:04 PM Running module: winlogon.exe\ADVAPI32.dll ok iChecker
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\ADVAPI32.dll ok iSwift
9/6/2006 5:40:04 PM Running module: winlogon.exe\RPCRT4.dll ok iChecker
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\RPCRT4.dll ok iSwift
9/6/2006 5:40:04 PM Running module: winlogon.exe\AUTHZ.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\AUTHZ.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\msvcrt.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\msvcrt.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\CRYPT32.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\CRYPT32.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\USER32.dll ok iChecker
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\USER32.dll ok iSwift
9/6/2006 5:40:04 PM Running module: winlogon.exe\GDI32.dll ok iChecker
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\GDI32.dll ok iSwift
9/6/2006 5:40:04 PM Running module: winlogon.exe\MSASN1.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\MSASN1.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\NDdeApi.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\NDdeApi.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\PROFMAP.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\PROFMAP.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\NETAPI32.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\NETAPI32.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\USERENV.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\USERENV.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\PSAPI.DLL ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\PSAPI.DLL ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\REGAPI.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\REGAPI.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\Secur32.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\Secur32.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\SETUPAPI.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\SETUPAPI.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\VERSION.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\VERSION.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\WINSTA.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\WINSTA.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\WINTRUST.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\WINTRUST.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\IMAGEHLP.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\IMAGEHLP.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\WS2_32.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\WS2_32.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\WS2HELP.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\WS2HELP.dll ok scanned
9/6/2006 5:40:04 PM Running module: winlogon.exe\MSGINA.dll ok scanned
9/6/2006 5:40:04 PM File: C:\WINDOWS\system32\MSGINA.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\SHELL32.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\SHELL32.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\SHLWAPI.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\SHLWAPI.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\COMCTL32.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\COMCTL32.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\ODBC32.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\ODBC32.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\comdlg32.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\comdlg32.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\comctl32.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\odbcint.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\odbcint.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\SHSVCS.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\SHSVCS.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\sfc.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\sfc.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\sfc_os.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\sfc_os.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\ole32.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\ole32.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\Apphelp.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\Apphelp.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\WINSCARD.DLL ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\WINSCARD.DLL ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\WTSAPI32.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\WTSAPI32.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\sxs.dll ok iChecker
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\sxs.dll ok iSwift
9/6/2006 5:40:05 PM Running module: winlogon.exe\uxtheme.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\uxtheme.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\WINMM.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\WINMM.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\rsaenh.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\rsaenh.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\cscdll.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\cscdll.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\klogon.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\klogon.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\OLEAUT32.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\OLEAUT32.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\mljgf.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\mljgf.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\SHFOLDER.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\SHFOLDER.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\WININET.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\WININET.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\WlNotify.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\WlNotify.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\WINSPOOL.DRV ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\WINSPOOL.DRV ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\MPR.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\MPR.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\WgaLogon.dll ok scanned
9/6/2006 5:40:05 PM File: C:\WINDOWS\system32\WgaLogon.dll ok scanned
9/6/2006 5:40:05 PM Running module: winlogon.exe\NTMARTA.DLL ok scanned
9/6/2006 5:40:06 PM File: C:\WINDOWS\system32\NTMARTA.DLL ok scanned
9/6/2006 5:40:06 PM Running module: winlogon.exe\WLDAP32.dll ok scanned
9/6/2006 5:40:06 PM File: C:\WINDOWS\system32\WLDAP32.dll ok scanned
9/6/2006 5:40:06 PM Running module: winlogon.exe\SAMLIB.dll ok scanned
9/6/2006 5:40:06 PM File: C:\WINDOWS\system32\SAMLIB.dll ok scanned
9/6/2006 5:40:06 PM Running module: winlogon.exe\asycfilt.dll ok scanned
9/6/2006 5:40:06 PM File: C:\WINDOWS\system32\asycfilt.dll ok scanned
9/6/2006 5:40:06 PM Running module: winlogon.exe\CLBCATQ.DLL ok scanned
9/6/2006 5:40:06 PM File: C:\WINDOWS\system32\CLBCATQ.DLL ok scanned
9/6/2006 5:40:06 PM Running module: winlogon.exe\COMRes.dll ok scanned
9/6/2006 5:40:06 PM File: C:\WINDOWS\system32\COMRes.dll ok scanned
9/6/2006 5:40:06 PM Running module: winlogon.exe\WINHTTP.dll ok scanned
9/6/2006 5:40:06 PM File: C:\WINDOWS\system32\WINHTTP.dll ok scanned
9/6/2006 5:40:06 PM Running module: winlogon.exe\winrvc32.dll detected Trojan program Trojan.Win32.Agent.vg
9/6/2006 5:40:06 PM Running module: winlogon.exe\winrvc32.dll not disinfected postponed
9/6/2006 5:40:06 PM File: C:\WINDOWS\system32\winrvc32.dll packed PE_Patch.PECompact
9/6/2006 5:40:06 PM File: C:\WINDOWS\system32\winrvc32.dll/PE_Patch.PECompact packed PecBundle
9/6/2006 5:40:06 PM File: C:\WINDOWS\system32\winrvc32.dll/PE_Patch.PECompact/PecBundle packed PECompact
9/6/2006 5:40:06 PM File: C:\WINDOWS\system32\winrvc32.dll/PE_Patch.PECompact/PecBundle/PECompact detected virus Packed.Win32.Klone.g
9/6/2006 7:23:59 PM File: C:\WINDOWS\system32\winrvc32.dll skipped processing stopped
9/6/2006 7:34:55 PM Running module: smss.exe\smss.exe ok iChecker
9/6/2006 7:34:55 PM File: C:\WINDOWS\System32\smss.exe ok iSwift
9/6/2006 7:34:56 PM Running module: smss.exe\ntdll.dll ok iChecker
9/6/2006 7:34:56 PM File: C:\WINDOWS\system32\ntdll.dll ok iSwift
9/6/2006 7:34:56 PM Running module: csrss.exe\csrss.exe ok iChecker
9/6/2006 7:34:56 PM File: C:\WINDOWS\system32\csrss.exe ok iSwift
9/6/2006 7:34:56 PM Running module: csrss.exe\ntdll.dll ok iChecker
9/6/2006 7:34:56 PM File: C:\WINDOWS\system32\ntdll.dll ok iSwift


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archived Compressed Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ---------- ------------------ ---------
Total 248236 66 66 0 0 2702 495 1685 0
System Memory 3495 2 2 0 0 0 3 0 0
Startup Objects 1885 0 0 0 0 0 0 0 0
System Restore 9110 53 53 0 0 43 88 0 0
Mailboxes 2 0 0 0 0 1 0 0 0
All Hard Drives 216877 11 11 0 0 2029 338 424 0
All Removable Drives 16867 0 0 0 0 629 66 1261 0


Settings
--------
Name Value
---- -----
Security Level Recommended
Action Prompt for action when the scan is complete
File types All
Scan new and changed files only No
Scan archives All
Scan embedded OLE objects All
Skip if object is greater than No
Skip if scan takes longer than No
Parse e-mail formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Show detected threats on "Detected" tab Yes
  • 0

#5
popechild

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:20:34 PM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SageTV\SageTV\SageTVService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hvd177af] RUNDLL32.EXE w0396490.dll,n 004177ab000000020396490
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [84557daa.exe] C:\Documents and Settings\Matt\Local Settings\Application Data\84557daa.exe
O4 - HKCU\..\Run: [wmfm] C:\PROGRA~1\COMMON~1\wmfm\wmfmm.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{85FD8C2C-825B-4456-8137-D1F8F8814AEA}: NameServer = 192.168.1.1,192.168.1.2
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SageTV - Frey Technologies, LLC - C:\Program Files\SageTV\SageTV\SageTVService.exe
  • 0

#6
popechild

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I tried to copy the HJT Uninstall Manager list, but HJT at first was shutting down every time I clicked the "Save List..." button and now just doesn't seem to do anything when I do that button...

If it is saving the list somewhere, I don't know where to find it.

Thanks for your help...
  • 0

#7
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Rename your copy of hijackthis.exe to search.exe and post a fresh log. It's possible that a nasty is interfering with the normal working of HJT in order to hide itself and renaming the .exe will get around this.
You should also be able to post the uninstall list now, as well.
  • 0

#8
popechild

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Okay, ran HJT as search.exe:

Logfile of HijackThis v1.99.1
Scan saved at 1:24:07 PM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SageTV\SageTV\SageTVService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\SageTV\SageTV\SageTV.exe
C:\HijackThis\search.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsh1D.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8C3DA128-A6FE-47B6-BAD9-1F7F05173B54} - C:\WINDOWS\system32\mljgf.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\mljhfgg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hvd177af] RUNDLL32.EXE w0396490.dll,n 004177ab000000020396490
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [84557daa.exe] C:\Documents and Settings\Matt\Local Settings\Application Data\84557daa.exe
O4 - HKCU\..\Run: [wmfm] C:\PROGRA~1\COMMON~1\wmfm\wmfmm.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{85FD8C2C-825B-4456-8137-D1F8F8814AEA}: NameServer = 192.168.1.1,192.168.1.2
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: mljgf - C:\WINDOWS\system32\mljgf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SageTV - Frey Technologies, LLC - C:\Program Files\SageTV\SageTV\SageTVService.exe
  • 0

#9
popechild

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
...and here's the uninstall list from HJT:

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Premiere 6.0
Adobe Reader 7.0.8
Advanced RealMedia Export Plug-in for Premiere 6.0
ATI Decoder
Bazooka Scanner
Cleaner 5 EZ
DirMon2
DivX
DScaler 5 Mpeg Decoders
DVD Profiler Version 2.4.0
DVD Shrink 3.2
Enhanced Browser Overlay
ewido anti-spyware 4.0
FLV Player 1.3.3
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB912024)
ImgBurn (Remove Only)
iTunes
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment, SE v1.4.2_11
Kaspersky Anti-Virus 6.0
Lavasoft VX2 Cleaner
Logitech iTouch Software
Logitech MouseWare 9.75
Macromedia Flash Player 8
Maximized Software iCoverArt
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office 2000 SR-1 Standard
Microsoft Windows XP Video Decoder Checkup Utility
MozBackup 1.4.4
Mozilla Firefox (1.5)
Mozilla Thunderbird (1.5)
MPlayer
Nero7 Ultra Edition
No-IP.com DUC (remove only)
Norton PartitionMagic 8.0
NVIDIA Drivers
NVIDIA Media Center Extensions
NVIDIA PureVideo Decoder
ObjectDock
Orb
palmOne
PartyPoker
PartyPokerNet
PE Explorer 1.98 R3
QuickTime
Realtek High Definition Audio Driver
Safety Bar
SageTV
SageTV XMLTV Importer
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
ShowAnalyzer
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
The Tournament Director 2
TUGZip 3.4
UnPacker 1,3,2,1856
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoLAN VLC media player 0.8.5
VideoReDo/Plus Version 2-2-1-445
Windows Defender
Windows Defender Signatures
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB914548
WinMerge 2.4.8.0
WinPcap 3.1
WinZip
WM Recorder 11.0
XviD 1.1 final uninstall
  • 0

#10
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
You've got a Vundo infection that was causing the HJT problem - you can see the extra O2 and O20 lines that have appeared in the second log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download VundoFix.exe by Atribune from here and save it to your desktop.to your desktop.
  • Close all open programs and windows as this may require a reboot.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Post the contents of C:\vundofix.txt and a new HiJackThis log.

  • 0

Advertisements


#11
popechild

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Interesting. I had already run this early on after I couldn't get Ad-Aware to run without shutting down. Ran it again now and found a bunch of stuff. Here's the log from the beginning, which shows the earlier run, and another one just done recently that shows no infections, then the most recent run:


VundoFix V6.1.2

Checking Java version...

Java version is 1.5.0.7

Scan started at 3:05:42 AM 9/6/2006

Listing files found while scanning....

C:\WINDOWS\system32\mljhfgg.dll
C:\WINDOWS\system32\opnlkkh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mljhfgg.dll
C:\WINDOWS\system32\mljhfgg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\opnlkkh.dll
C:\WINDOWS\system32\opnlkkh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Java version is 1.5.0.7

Scan started at 3:09:17 AM 9/6/2006

Listing files found while scanning....

C:\WINDOWS\system32\mljhfgg.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mljhfgg.dll
C:\WINDOWS\system32\mljhfgg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Java version is 1.5.0.7

Scan started at 3:13:39 AM 9/6/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.2

Checking Java version...

Java version is 1.5.0.7

Scan started at 5:21:48 PM 9/6/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.4

Checking Java version...

Java version is 1.5.0.7

Scan started at 1:55:33 PM 9/7/2006

Listing files found while scanning....

C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fgjlm.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mljgf.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\fgjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\fgjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fgjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgjlm.tmp
C:\WINDOWS\system32\fgjlm.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.4

Checking Java version...

Java version is 1.5.0.7

Scan started at 2:00:52 PM 9/7/2006

Listing files found while scanning....

C:\WINDOWS\system32\mljgf.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mljgf.dll Has been deleted!

Performing Repairs to the registry.
Done!
  • 0

#12
popechild

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
The HJT log run using search.exe:

Logfile of HijackThis v1.99.1
Scan saved at 2:08:33 PM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SageTV\SageTV\SageTVService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\search.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsh1D.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8C3DA128-A6FE-47B6-BAD9-1F7F05173B54} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\mljhfgg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hvd177af] RUNDLL32.EXE w0396490.dll,n 004177ab000000020396490
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [84557daa.exe] C:\Documents and Settings\Matt\Local Settings\Application Data\84557daa.exe
O4 - HKCU\..\Run: [wmfm] C:\PROGRA~1\COMMON~1\wmfm\wmfmm.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{85FD8C2C-825B-4456-8137-D1F8F8814AEA}: NameServer = 192.168.1.1,192.168.1.2
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SageTV - Frey Technologies, LLC - C:\Program Files\SageTV\SageTV\SageTVService.exe
  • 0

#13
popechild

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
...and using HijackThis.exe:

Logfile of HijackThis v1.99.1
Scan saved at 2:09:30 PM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SageTV\SageTV\SageTVService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsh1D.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8C3DA128-A6FE-47B6-BAD9-1F7F05173B54} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\mljhfgg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hvd177af] RUNDLL32.EXE w0396490.dll,n 004177ab000000020396490
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [84557daa.exe] C:\Documents and Settings\Matt\Local Settings\Application Data\84557daa.exe
O4 - HKCU\..\Run: [wmfm] C:\PROGRA~1\COMMON~1\wmfm\wmfmm.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{85FD8C2C-825B-4456-8137-D1F8F8814AEA}: NameServer = 192.168.1.1,192.168.1.2
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SageTV - Frey Technologies, LLC - C:\Program Files\SageTV\SageTV\SageTVService.exe
  • 0

#14
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of Ewido anti-spyware from here and save it to your Desktop.
If you already have this program installed, skip to Updating Ewido: below.

* Please note that these instructions are for the new version - Ewido anti-spyware. If you have the old version - Ewido anti-malware and it is the:
  • paid-for version - you will need to go here and obtain an updated license code before you upgrade.
  • free version - you will need to uninstall it and reboot before installing the new version.
Double click the ewido-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, Ewido anti-spyware will open.
  • Updating Ewido:

    By default Ewido is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it is up-to-date, do the following:
  • Click the Update icon at the top and under "Manual Update" - click the Start update button.
  • Either Ewido will update or inform you that no update was available.
  • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed Ewido, double click ewido-signatures-full-current.exe to update it.

    Disabling the Resident Shield:
  • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
    (When the PC has been cleaned you can activate the shield again, if you wish.)
  • Click the Shield icon at the top and under "Resident shield is..." - click active.
  • This should now change to inactive.

    Changing Recommended Actions
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
You can now close Ewido anti-spyware.

Ewido anti-spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that Ewido will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.


2) You will need to know how to boot into Safe Mode.
Instructions can be found here.

3) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

4) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {8C3DA128-A6FE-47B6-BAD9-1F7F05173B54} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll (file missing)
O2 - BHO: (no name) - {8C3DA128-A6FE-47B6-BAD9-1F7F05173B54} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll (file missing)
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\mljhfgg.dll (file missing)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [hvd177af] RUNDLL32.EXE w0396490.dll,n 004177ab000000020396490
O4 - HKCU\..\Run: [84557daa.exe] C:\Documents and Settings\Matt\Local Settings\Application Data\84557daa.exe
O4 - HKCU\..\Run: [wmfm] C:\PROGRA~1\COMMON~1\wmfm\wmfmm.exe

O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Boot into Safe Mode.

3) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

4) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

5) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

6) Ensure that ALL open Windows / Programs / Folders are closed and then run Ewido anti-spyware.
  • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
  • Click "Complete System Scan"
  • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
  • When the scan has completed, any threats that Ewido has detected will be displayed.
  • Click the Apply all actions button at the bottom.
  • When Ewido has finished, it will display the message "All actions have been applied".

    Saving a report:
  • Click the Save Report button at the bottom left and the "Reports" window will open.
  • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\ewido anti-spyware 4.0\Reports folder.
  • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
    Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.
Close Ewido Anti-Spyware.

7) Remove any/all of the following files/folders that you can find:

Files

C:\Documents and Settings\Matt\Local Settings\Application Data\84557daa.exe

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


Files

w0396490.dll

Click on Start,
Click on Search
Click on 'All files and folders'
In the 'All or part of the file name:' textbox, enter the above file name(s) and click on Search
Right click on any entries that are found and from the menu that appears, click on Delete


Folders

C:\PROGRA~1\COMMON~1\wmfm

* The tilde(~) in either a file or folder name indicates that this name is longer than six characters and these have been replaced by the tilde for brevity. E.G. C:\PROGRA~1 = C:\Program Files
The first file, or folder, that uses these first six letters gets the suffix ~1, the next ~2 and so on.

As an example:
To delete C:\WINDOWS\system32\foldertogo
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on foldertogo and from the menu that appears, click on 'Delete'


8) Boot into Normal Mode.

Post a new HJT log, the Ewido log AND a description of how your PC is running.
  • 0

#15
popechild

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
<posting this from another computer, since I'm not sure if I'm supposed to re-connect to the internet yet>

Computer seems to be running okay now, from what I can tell not connected to the internet. The DLL error didn't pop up when I rebooted out of safe mode, which is good news! Let me know if I should reconnect and report back the status after that...

Ewido log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:38:17 PM 9/7/2006

+ Scan result:



HKU\S-1-5-21-1614895754-1364589140-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\matt@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\matt@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\matt@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\matt@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP