Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Not sure of infection there are so many.... [RESOLVED]


  • This topic is locked This topic is locked

#1
hmerritt

hmerritt

    Member

  • Member
  • PipPip
  • 12 posts
I realized something was wrong when all of a sudden I saw that there was an installation going on right before my eyes. I closed them all down, but it was too late. At first screens kept popping up all over the place, pages rerouting and my computer is horribly slow. After weeding through the muck to get to this sight, I downloaded AVG and was horrified when I saw over 75 infections- this has always been a backup computer but one that my 5 year old has recently started using to get online to play. I have run every software suggested in the "Do this first" post. Some find infections that others don't , then others will find them again, I'll think they're gone just to reboot and see they are still there. So here is my HJT Log that I just ran after doing every suggestion in that post. Thank you in advance for any help! After this is fixed, I need to figure out how my 5 year old can safely surf without fear of reinfection- so any suggestions would be helpful.

Heather


Logfile of HijackThis v1.99.1
Scan saved at 12:54:25 PM, on 9/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Documents and Settings\Owner\My Documents\Internet Downloads\HijackThis.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\Plaxo\2.8.1.2\PlaxoHelper.exe
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\PROGRA~1\COMMON~1\SMANTE~1\wuauclt.exe
C:\Program Files\Common Files\a?sembly\r?ndll.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\System32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R3 - URLSearchHook: (no name) - {3233AC64-6EAC-6B73-F3DF-6143B067A0EF} - C:\WINNT\System32\jbhnlvwt.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,iwwegfg.exe
O2 - BHO: (no name) - {3233AC64-6EAC-6B73-F3DF-6143B067A0EF} - C:\WINNT\System32\jbhnlvwt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [sys02350696394] C:\WINNT\sys02350696394.exe
O4 - HKLM\..\Run: [gjdnvx] C:\WINNT\System32\hryvva.exe reg_run
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
O4 - HKLM\..\Run: [srg250f8] RUNDLL32.EXE w69fabfb.dll,n 004250f40000000369fabfb
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\2.8.1.2\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\SMANTE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [dgkow] C:\WINNT\System32\hryvva.exe reg_run
O4 - HKCU\..\Run: [Xamwjhs] C:\Program Files\Common Files\a?sembly\r?ndll.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: TA_Start.lnk = C:\TIGEN001.exe
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\mwintpex.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: LastQUIT v1.2.lnk = C:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\System32\dmonwv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.co...ease/instub.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157666235546
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphoto...ploadClient.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...8.39/ttinst.cab
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.side...00719/sb027.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\u8ru0i99e8.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Unknown owner - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe (file missing)
O23 - Service: InterBase Server (InterBaseServer) - Unknown owner - C:\Program Files\Borland\Interbase\Bin\IBServer.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\hfwbytj.exe (file missing)
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Welcome aboard; lets get started with the cleaning :whistling:

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#3
hmerritt

hmerritt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thank you so much for replying so quickly! Sorry it took me so long to get back to you with this log from the ComboFix- it is taking me foreeeeeevvvvveeeerrrrr to do anything. I am so angry right now, I could just chunk it out the window! lol~

Here's the Combo Fix log you asked for!

Owner - 06-09-08 17:25:26.31
ComboFix 06.09.07 - Running from: C:\Documents and Settings\Owner\My Documents\Internet Downloads

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{1511E458-1D89-41CE-930B-E898DD9F8980}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1511E458-1D89-41CE-930B-E898DD9F8980}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1511E458-1D89-41CE-930B-E898DD9F8980}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1511E458-1D89-41CE-930B-E898DD9F8980}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{6CBE63AC-B11A-4E7F-A78A-26867751A158}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6CBE63AC-B11A-4E7F-A78A-26867751A158}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6CBE63AC-B11A-4E7F-A78A-26867751A158}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6CBE63AC-B11A-4E7F-A78A-26867751A158}\InprocServer32]
@="C:\\WINNT\\system32\\ddnaddr.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{AD0E8ECF-BAA5-49D0-BDFC-332747BC20D2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AD0E8ECF-BAA5-49D0-BDFC-332747BC20D2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AD0E8ECF-BAA5-49D0-BDFC-332747BC20D2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AD0E8ECF-BAA5-49D0-BDFC-332747BC20D2}\InprocServer32]
@="C:\\WINNT\\system32\\ep.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-09-07 10:35 326 fmfdm.dll.qoo
06-09-07 08:19 53 epnlco.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\Duce6.exe
C:\deskbar3.exe
C:\WINNT\system32\wtssvtr.exe
C:\WINNT\uninstall_nmon.vbs
C:\WINNT\system32\atmtd.dll.tmp
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\batty2
C:\Program Files\cmfibula
C:\Program Files\Deskbar
C:\Program Files\PSLister

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\Application Data\MCROSO~1
C:\QooBox\Purity\Documents and Settings\Owner\Application Data\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\ASEMBL~1
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\ASEMBL~1\r?ndll.exe
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1\F?nts
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1\wuauclt.exe
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1\F?nts\dohinst-103.0000


((((((((((((((((((((((((((((((( Files Created from 2006-08-08 to 2006-09-08 ))))))))))))))))))))))))))))))))))


2006-09-08 08:05 127,208 --a------ C:\WINNT\system32\mucltui.dll
2006-09-07 10:52 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2006-09-07 10:52 348,160 --a------ C:\WINNT\system32\msvcr71.dll
2006-09-07 10:12 923 --a------ C:\WINNT\system32\winpfg32.sys
2006-09-07 08:25 1,233 --a------ C:\WINNT\system32\srg250f8.sys
2006-09-07 08:23 186,223 --a------ C:\WINNT\srvqxidzec.exe
2006-09-07 08:17 163,840 --a------ C:\WINNT\sys02350696394.exe
2006-09-07 08:15 215,308 --a------ C:\WINNT\srvijzkyre.exe
2006-09-07 08:13 267,228 --a------ C:\WINNT\popupwithcast.exe
2006-09-07 08:12 115,160 --a------ C:\WINNT\Eim03.exe
2006-08-14 19:52 78,848 --a------ C:\WINNT\system32\nsi957.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-08 17:27 -------- d-------- C:\Program Files\Common Files
2006-09-08 16:25 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-08 13:15 -------- d-------- C:\Program Files\Zone Labs
2006-09-08 07:48 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-09-08 07:48 -------- d-------- C:\Program Files\Messenger
2006-09-08 07:48 -------- d-------- C:\Program Files\Internet Explorer
2006-09-08 07:48 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-08 06:44 -------- d-------- C:\Program Files\UpromiseRemindU
2006-09-08 06:40 -------- d-------- C:\Program Files\Windows Media Player
2006-09-08 06:40 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-08 06:40 -------- d-------- C:\Program Files\Common Files\uiuo
2006-09-07 18:36 -------- d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2006-09-07 16:37 -------- d-------- C:\Program Files\CleanUp!
2006-09-07 10:58 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-09-07 10:52 4992 --a------ C:\WINNT\system32\drivers\avgtdi.sys
2006-09-07 10:52 23424 --a------ C:\WINNT\system32\drivers\avgmfrs.sys
2006-09-07 10:51 777472 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-09-07 10:51 4288 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2006-09-07 10:51 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-09-07 10:48 -------- d-------- C:\Program Files\Grisoft
2006-09-07 10:41 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-09-07 10:01 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-07 08:42 -------- d-------- C:\Program Files\Lavasoft
2006-09-07 08:42 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-09-07 08:19 517 --a------ C:\Program Files\Common Files\wole
2006-09-07 08:15 -------- d-------- C:\Program Files\popupwithcast
2006-09-07 08:12 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2006-08-31 10:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2006-08-04 11:07 -------- d-------- C:\Program Files\20th Century Fox Home Video


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe"
"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe"
"GWMDMpi"="C:\\WINNT\\GWMDMpi.exe"
"Ink Monitor"="C:\\Program Files\\EPSON\\Ink Monitor\\InkMonitor.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"FLMK08KB"="C:\\Program Files\\Muiltmedia keyboard utility\\1.3\\MMKEYBD.EXE"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"LWBMOUSE"="C:\\Program Files\\Browser Mouse\\Browser Mouse\\1.1\\MOUSE32A.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"septpop06apsept"="C:\\program files\\popupwithcast\\septpop06apsept.exe"
"sys02350696394"="C:\\WINNT\\sys02350696394.exe"
"srg250f8"="RUNDLL32.EXE w69fabfb.dll,n 004250f40000000369fabfb"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PlaxoUpdate"="C:\\WINNT\\Plaxo\\2.8.1.2\\PlaxoHelper.exe -a"
"PPWebCap"="C:\\Program Files\\ScanSoft\\PaperPort\\PPWebCap.exe"
"Ltho"="\"C:\\PROGRA~1\\COMMON~1\\SMANTE~1\\wuauclt.exe\" -vt yazb"
"Xamwjhs"="C:\\Program Files\\Common Files\\a?sembly\\r?ndll.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\ISP signup reminder 1.job
C:\WINNT\tasks\ISP signup reminder 2.job
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Fri 09/08/2006 21:15:58.01
ComboFix.txt
  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract Avenger.exe to your desktop.
2. Copy all the text in bold contained in the quotebox below to a blank notepad file:

Files to delete:
C:\WINNT\system32\winpfg32.sys
C:\WINNT\system32\srg250f8.sys
C:\WINNT\srvqxidzec.exe
C:\WINNT\sys02350696394.exe
C:\WINNT\srvijzkyre.exe
C:\WINNT\popupwithcast.exe
C:\WINNT\Eim03.exe
C:\WINNT\system32\nsi957.dl
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\WINNT\system32\BattyRun2.dll

Folders to delete:
C:\Program Files\Common Files\wole
C:\Program Files\popupwithcast

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to the notepad file into this window
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • Restarts your computer.
  • On reboot, it briefly opens a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log by using AddReply. :whistling:
  • 0

#5
hmerritt

hmerritt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
THANK YOU!! I've done what you asked and here are the logs you asked to see.....

Heather


The log from Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pvtwyrpy

*******************

Script file located at: \??\C:\fgtvujmf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\winpfg32.sys deleted successfully.
File C:\WINNT\system32\srg250f8.sys deleted successfully.
File C:\WINNT\srvqxidzec.exe deleted successfully.
File C:\WINNT\sys02350696394.exe deleted successfully.
File C:\WINNT\srvijzkyre.exe deleted successfully.
File C:\WINNT\popupwithcast.exe deleted successfully.
File C:\WINNT\Eim03.exe deleted successfully.


File C:\WINNT\system32\nsi957.dl not found!
Deletion of file C:\WINNT\system32\nsi957.dl failed!

Could not process line:
C:\WINNT\system32\nsi957.dl
Status: 0xc0000034

File C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe deleted successfully.
File C:\Program Files\Common Files\Yazzle1281OinAdmin.exe deleted successfully.


File C:\WINNT\system32\BattyRun2.dll not found!
Deletion of file C:\WINNT\system32\BattyRun2.dll failed!

Could not process line:
C:\WINNT\system32\BattyRun2.dll
Status: 0xc0000034



Error: C:\Program Files\Common Files\wole is not a folder! It may instead be a file.
Deletion of folder C:\Program Files\Common Files\wole failed!

Could not process line:
C:\Program Files\Common Files\wole
Status: 0xc0000103

Folder C:\Program Files\popupwithcast deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.



The log from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 9:03:13 PM, on 9/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\wuauclt.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\Plaxo\2.8.1.2\PlaxoHelper.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\System32\notepad.exe
C:\Documents and Settings\Owner\My Documents\Internet Downloads\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R3 - URLSearchHook: (no name) - {3233AC64-6EAC-6B73-F3DF-6143B067A0EF} - C:\WINNT\System32\jbhnlvwt.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {3233AC64-6EAC-6B73-F3DF-6143B067A0EF} - C:\WINNT\System32\jbhnlvwt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [sys02350696394] C:\WINNT\sys02350696394.exe
O4 - HKLM\..\Run: [srg250f8] RUNDLL32.EXE w69fabfb.dll,n 004250f40000000369fabfb
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\2.8.1.2\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\SMANTE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [Xamwjhs] C:\Program Files\Common Files\a?sembly\r?ndll.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: TA_Start.lnk = C:\TIGEN001.exe
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\mwintpex.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: LastQUIT v1.2.lnk = C:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.co...ease/instub.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157666235546
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphoto...ploadClient.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...8.39/ttinst.cab
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.side...00719/sb027.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Unknown owner - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe (file missing)
O23 - Service: InterBase Server (InterBaseServer) - Unknown owner - C:\Program Files\Borland\Interbase\Bin\IBServer.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\hfwbytj.exe (file missing)
  • 0

#6
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Go ahead and delete Avenger :blink:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


----

Please run a scan with HijackThis once in Safe Mode, and check the following objects for removal:

R3 - URLSearchHook: (no name) - {3233AC64-6EAC-6B73-F3DF-6143B067A0EF} - C:\WINNT\System32\jbhnlvwt.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {3233AC64-6EAC-6B73-F3DF-6143B067A0EF} - C:\WINNT\System32\jbhnlvwt.dll (file missing)
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [sys02350696394] C:\WINNT\sys02350696394.exe
O4 - HKLM\..\Run: [srg250f8] RUNDLL32.EXE w69fabfb.dll,n 004250f40000000369fabfb
O4 - Startup: TA_Start.lnk = C:\TIGEN001.exe
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\mwintpex.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.side...00719/sb027.cab
O18 - Filter: text/html - (no CLSID) - (no file)


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

----

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Removeservice.bat. to your desktop.

@echo off
sc stop "Windows Overlay Components"
sc delete "Windows Overlay Components"


Double-click on Removeservice.bat. A window will pop up and close. This is normal.

----
  • IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning process:
  • Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post back with the Ewido results aswell as a fresh HijackThis log. :whistling:

  • 0

#7
hmerritt

hmerritt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thank you again- I don't know what we would all do without the help of people like you!


Here is the Ewido log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:55:26 AM 9/11/2006

+ Scan result:



C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065511.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065523.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065524.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065537.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065525.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065514.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065520.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065521.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065522.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP654\A0065200.exe -> Downloader.Adload.fg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065501.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065502.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065503.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065498.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065497.exe -> Downloader.TSUpdate.p : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065496.exe -> Downloader.VB.amb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065495.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065499.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP655\A0065500.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end




Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:12:12 PM, on 9/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Documents and Settings\Owner\My Documents\Internet Downloads\HijackThis.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\Plaxo\2.8.1.2\PlaxoHelper.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\2.8.1.2\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\SMANTE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [Xamwjhs] C:\Program Files\Common Files\a?sembly\r?ndll.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: LastQUIT v1.2.lnk = C:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.co...ease/instub.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157666235546
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphoto...ploadClient.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...8.39/ttinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Unknown owner - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe (file missing)
O23 - Service: InterBase Server (InterBaseServer) - Unknown owner - C:\Program Files\Borland\Interbase\Bin\IBServer.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

#8
hmerritt

hmerritt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Just deleting a duplicate post....

Edited by hmerritt, 11 September 2006 - 11:24 AM.

  • 0

#9
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Lets continue :blink:

Lets run an online scan...

Please run the F-Secure Online Scanner

Note: This scanner is for internet explorer only!
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy & paste the entire report in your next reply.
----

Next lets check the following also:

Download GMER:
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan.
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply along with the F-secure results. :whistling:

  • 0

#10
hmerritt

hmerritt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Just an FYI- my computer just shut down prior to running GMER- all on it's own. Are you seeing that there is still anything on it?

I keep getting an error message from the F-secure online scanner- I get it right after it's downloaded and right before it scans. It says "An error has occurred! Please close the scanner and your browser, then try again. (Id:24) Please let me know how to proceed.


This is the log copied from GMER:


GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-12 11:34:07
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.10 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [FCB0485A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [FCB0485A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [FCB0485A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [FCB0485A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F3C982A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [FCB0485A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F3C982A0] vsdatant.sys

---- EOF - GMER 1.0.10 ----

Edited by hmerritt, 12 September 2006 - 11:13 AM.

  • 0

Advertisements


#11
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Lets run this online scanner instead... Your Gmer log looks fine :whistling:

Please run BitDefender Online Scanner:
  • Read the terms and then click I Agree
  • You may receive a Security Warning about the BitDefender ActiveX control, If you do, please allow it to install.
  • On the Scanning Options screen, hit Click Here To Scan and then follow the on screen prompts.
  • Once BitDefender is finished scanning your computer it will automatically remove the infections.
  • Once the removal process is finished click the Close button and a dialog box will appear asking if you want to send your scan log back to the makers of BitDefender.
  • You do not have to do this but what you do want to do is press the button that says View Log and copy & paste that logs contents here.

  • 0

#12
hmerritt

hmerritt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I think I must just have bad luck with online scanners. I did run that one and it took hours, I followed the directions, but it would not ever print out a log for me to copy and paste. I kept clicking on the link and it never went anywhere- I'm a little worried because I know it deleted alot. It looked like a lot of backup files, emails, and restore. Should I be worried?

thanks so much-

Heather
  • 0

#13
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Doesn't sound that worrying. Restore would mean the system restore which will eventually be cleaned up anyway once we get your system clean and backup files aren't anything to be worried about, most likely just Avenger's deletions or other scanners quarantine stuff. :whistling:

Run a scan with HijackThis and check the following objects for removal if present:

O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\SMANTE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [Xamwjhs] C:\Program Files\Common Files\a?sembly\r?ndll.exe


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Lets check for further info...

Please download WinPFind2 © OldTimer.
  • Unzip the files to their own folder, like C:\WinPFind2.
  • Double-click WinPFind2.exe to run the program.
  • Click Select All in the File Options menu under Configuration tab.
  • Click Run all Scans.
  • When the scan is ready, you'll see Scans Complete! message lower left.
  • Click Export to Text.
  • Notepad will open and the log is created in the folder where the tool was unzipped (C:\WinPFind2\WinPFind2.txt)
  • Post back with the log along with a fresh HijackThis log. You may need to post multiple replies to get it all posted, so it doesn't get cut off. :blink:

  • 0

#14
hmerritt

hmerritt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Good News!! I was so worried. Thanks for your help! My daughter keeps asking if she can go on Barbie.com and I'm like, not anytime soon, I'm still making the computer better 5 days later! lol~

Here is the log from WinPFind2:
There wasn't just an "Export This" key- the options were for a simple or expanded report. This is the simple report. If you'd have preferred the expanded, just let me know and I will re-scan.

WinPFind2 by OldTimer - Version 1.0.8 Folder = C:\winpfind2\WinPFind2\
Microsoft Windows XP Service Pack 1 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2800.1106)


< Processes (Non-Microsoft Only) >
c:\progra~1\grisoft\avgfre~1\avgamsvr.exe - (GRISOFT, s.r.o. )
c:\progra~1\grisoft\avgfre~1\avgcc.exe - (GRISOFT, s.r.o. )
c:\progra~1\grisoft\avgfre~1\avgemc.exe - (GRISOFT, s.r.o. )
c:\progra~1\grisoft\avgfre~1\avgupsvc.exe - (GRISOFT, s.r.o. )
c:\program files\ewido anti-spyware 4.0\guard.exe - (Anti-Malware Development a.s. )
c:\program files\browser mouse\browser mouse\1.1\mouse32a.exe - ( )
c:\program files\microsoft office\office\osa.exe - ( )
c:\winnt\plaxo\2.8.1.2\plaxohelper.exe - (Plaxo, Inc. )
c:\program files\common files\epson\ebapi\sagent2.exe - (SEIKO EPSON CORPORATION )
c:\winpfind2\winpfind2\winpfind2.exe - (OldTimer Tools )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKCU->Internet Explorer\\SearchURL - http://home.microsof...obby/search.asp
HKLM->Main\\Start Page - http://www.gateway.net
HKLM->Main\\Search Page - http://ie.search.msn.com
HKLM->Main\\Default_Page_URL - http://www.gateway.net
HKLM->Main\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - http://www.yahoo.com/
HKCU->Main\\Search Page - http://ie.search.msn.com
HKCU->Main\\Default_Search_URL - http://ie.search.msn.com
HKCU->Main\\Local Page - C:\WINNT\System32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn...st/srchasst.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn.com
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0
HKCU->Internet Settings\\ProxyOverride -

[>> BHO's <<]
{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll ( )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - Real.com = C:\WINNT\System32\Shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
ShellBrowser\\{B195B3B3-8A05-11D3-97A4-0004ACA6948E} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{7FD44536-9DF0-4034-939F-5BD4D98E3187} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{B195B3B3-8A05-11D3-97A4-0004ACA6948E} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

[HKCU-> Internet Explorer CmdMapping]
{16BF42FD-CA0A-4f48-819D-B0343254DD67} - 8195 - Reg Data missing or invalid
{3E230861-5C87-11D3-A1C6-00105A1B41B8} - 8198 - Reg Data missing or invalid
{85d1f590-48f4-11d9-9669-0800200c9a66} - 8199 - Uninstall BitDefender Online Scanner v8
{92D7F210-7F20-11d3-8157-0090278B20DE} - 8196 - Reg Data missing or invalid
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - 8193 -
{E023F504-0C5A-4750-A1E7-A9046DEA8A21} - 8194 -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8197 - Messenger
NextId - 8200

[HKLM-> Internet Explorer Extensions]
{85d1f590-48f4-11d9-9669-0800200c9a66} - MenuText: Uninstall BitDefender Online Scanner v8 = Reg Data missing or invalid (File not found))
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - ButtonText: Real.com = (File not found))
{E023F504-0C5A-4750-A1E7-A9046DEA8A21} - ButtonText: MoneySide = (File not found))
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\MSMSGS.EXE (Microsoft Corporation )

[HKLM-> Internet Explorer Plugins]
.spop - = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc. )

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{02040CD1-EF11-11D5-BC3F-0003473F5BF0} - HotShell Shell Extension = C:\Program Files\Common Files\efax\hotshell.dll (eFax.com )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINNT\System32\hticons.dll (Hilgraeve, Inc. )
{955B7B84-5308-419c-8ED8-0B9CA3C56985} - America Online Included = C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll (America Online, Inc. )
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} - TrojanHunter Menu Shell Extension = C:\PROGRA~1\TROJAN~1.6\contmenu.dll ( )

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
* - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
* - HotShellExt - {02040CD1-EF11-11D5-BC3F-0003473F5BF0} = C:\Program Files\Common Files\efax\hotshell.dll (eFax.com )
* - TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll ( )
Directory - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
Directory - TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll ( )
Directory\Background - igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINNT\System32\igfxpph.dll (Intel Corporation )
Folder - AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
Folder - TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll ( )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]

[>> Registry Run Keys <<]
HKLM->Run\\AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP (GRISOFT, s.r.o. )
HKLM->Run\\FLMK08KB - C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE ( )
HKLM->Run\\GWMDMMSG - GWMDMMSG.exe (GTW )
HKLM->Run\\GWMDMpi - C:\WINNT\GWMDMpi.exe ( )
HKLM->Run\\HotKeysCmds - C:\WINNT\System32\hkcmd.exe (Intel Corporation )
HKLM->Run\\IgfxTray - C:\WINNT\System32\igfxtray.exe (Intel Corporation )
HKLM->Run\\Ink Monitor - C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe (BillP Studios )
HKLM->Run\\KernelFaultCheck - %systemroot%\system32\dumprep 0 -k (File not found))
HKLM->Run\\LWBMOUSE - C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE ( )
HKLM->Run\\NeroCheck - C:\WINNT\system32\NeroCheck.exe (Ahead Software Gmbh )
HKLM->Run\\RealTray - C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER (RealNetworks, Inc. )
HKLM->Run\\REGSHAVE - C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN (FUJI PHOTO FILM CO., LTD. )
HKLM->Run\\SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe (Sun Microsystems, Inc. )
HKLM->Run\\THGuard - "C:\Program Files\TrojanHunter 4.6\THGuard.exe" (Mischel Internet Security )
HKLM->Run\\Zone Labs Client - "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Zone Labs, LLC )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\MSMSGS - "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation )
HKCU->Run\\PlaxoUpdate - C:\WINNT\Plaxo\2.8.1.2\PlaxoHelper.exe -a (Plaxo, Inc. )
HKCU->Run\\PPWebCap - C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe (Scansoft Inc. )

[>> Startup Lnks <<]
HKLM->Common Startup - desktop.ini - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ( )
HKLM->Common Startup - EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE (SEIKO EPSON CORPORATION )
HKLM->Common Startup - Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe (FUJI PHOTO FILM CO., LTD. )
HKLM->Common Startup - LastQUIT v1.2.lnk - C:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE (Longshot Productions )
HKLM->Common Startup - Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE ( )
HKCU->Startup - desktop.ini - C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini ( )
HKCU->Startup - PowerReg SchedulerV2.exe - C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe ( )

[>> Disabled MSConfig Items <<]

[>> User Agent Post Platform <<]
sv1 -

[>> AppInit DLLs <<]

[>> Image File Execution Options <<]
Your Image File Name Here without a path - Debugger = ntsd -d

[>> Shell Service Object Delay Load <<]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINNT\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

[>> Shell Execute Hooks <<]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s. )
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[>> Shared Task Scheduler <<]

[>> Winlogon <<]
UserInit - c:\winnt\system32\userinit.exe, (Microsoft Corporation )
Shell - explorer.exe (Microsoft Corporation )
System - (File not found))
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )
Notify\wzcnotif - wzcdlg.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{2B381EE5-5F28-4054-966F-820FB1008551} - (Motorola SURFboard SB5100 USB Cable Modem)
{85B523F0-3F83-49BD-9B28-3C61E22CABD0} - (Intel® PRO/100 VE Network Connection)

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found))
msdaipp - (File not found))
vnd.ms.radio - C:\WINNT\System32\msdxm.ocx ( )

[>> Protocol Filters (Non-Microsoft only) <<]

< Services (Non-Microsoft Only) >
AVG7 Alert Manager Server (Avg7Alrt) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (GRISOFT, s.r.o. ) [Automatic - Running - Win32, running in it's own process]
AVG7 Update Service (Avg7UpdSvc) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (GRISOFT, s.r.o. ) [Automatic - Running - Win32, running in it's own process]
AVG E-mail Scanner (AVGEMS) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (GRISOFT, s.r.o. ) [Automatic - Running - Win32, running in it's own process]
EPSON Printer Status Agent2 (EPSONStatusAgent2) - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION ) [Automatic - Running - Win32, running in it's own process]
ewido anti-spyware 4.0 guard (ewido anti-spyware 4.0 guard) - C:\Program Files\ewido anti-spyware 4.0\guard.exe (Anti-Malware Development a.s. ) [Automatic - Running - Win32, running in it's own process]

< Files >

%SystemDrive%
C:\ComboFix.txt - qoologic ( [Ver = | Size = 10996 bytes | Date = 09/08/2006 21:16 | Attr = ])

%ProgramFilesDir%

%WinDir%
C:\WINNT\eFaxview.exe - aspack (eFax.com [Ver = 2.0.12.0 | Size = 505360 bytes | Date = 01/31/2003 02:09 | Attr = ])
C:\WINNT\LASTQUIT.INI - PTech ( [Ver = | Size = 4036 bytes | Date = 09/11/2006 12:48 | Attr = ])

%System%
C:\WINNT\SYSTEM32\dfrg.msc - PEC2 ( [Ver = | Size = 41397 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\jsdvwsdk.dll - aspack (eFax.com [Ver = 2.0.12.0 | Size = 881152 bytes | Date = 01/31/2003 02:09 | Attr = ])
C:\WINNT\SYSTEM32\nsi957.dll - UPX! ( [Ver = 1, 66, 0, 0 | Size = 78848 bytes | Date = 08/14/2006 19:52 | Attr = ])
C:\WINNT\SYSTEM32\nusrmgr.cpl - WSUD (Microsoft Corporation [Ver = 6.00.2600.0000 (xpclient.010817-1148) | Size = 256000 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\rasdlg.dll - Umonitor (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 631808 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\wbdbase.deu - winsync ( [Ver = | Size = 1309184 bytes | Date = 08/29/2002 08:00 | Attr = ])

%System%\Drivers folder and sub-folders
C:\WINNT\SYSTEM32\drivers\avg7core.sys - UPX! (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 09/07/2006 10:51 | Attr = ])
C:\WINNT\SYSTEM32\drivers\avg7core.sys - FSG! (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 09/07/2006 10:51 | Attr = ])
C:\WINNT\SYSTEM32\drivers\avg7core.sys - PEC2 (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 09/07/2006 10:51 | Attr = ])
C:\WINNT\SYSTEM32\drivers\avg7core.sys - aspack (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 09/07/2006 10:51 | Attr = ])

%windir% + sub-dirs for System or Hidden files less than 60 days old
C:\WINNT\bootstat.dat - ( [Ver = | Size = 2048 bytes | Date = 09/12/2006 11:07 | Attr = S])
C:\WINNT\QTFont.qfn - ( [Ver = | Size = 54156 bytes | Date = 08/24/2006 09:24 | Attr = H ])
C:\WINNT\inf\oem86.inf - ( [Ver = | Size = 0 bytes | Date = 09/08/2006 08:05 | Attr = H ])
C:\WINNT\LastGood\INF\oem87.inf - ( [Ver = | Size = 0 bytes | Date = 09/12/2006 14:29 | Attr = H ])
C:\WINNT\LastGood\INF\oem87.PNF - ( [Ver = | Size = 0 bytes | Date = 09/12/2006 14:29 | Attr = H ])
C:\WINNT\system32\vsconfig.xml - ( [Ver = | Size = 48882 bytes | Date = 09/12/2006 11:11 | Attr = H ])
C:\WINNT\system32\zllictbl.dat - ( [Ver = | Size = 4212 bytes | Date = 09/08/2006 15:44 | Attr = H ])
C:\WINNT\system32\config\default.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/12/2006 14:24 | Attr = H ])
C:\WINNT\system32\config\SAM.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/13/2006 05:23 | Attr = H ])
C:\WINNT\system32\config\SECURITY.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/13/2006 05:21 | Attr = H ])
C:\WINNT\system32\config\software.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/13/2006 05:38 | Attr = H ])
C:\WINNT\system32\config\system.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/13/2006 05:21 | Attr = H ])
C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\2f2a2041-8022-4dad-8be8-eb94a200e793 - ( [Ver = | Size = 388 bytes | Date = 07/25/2006 08:20 | Attr = HS])
C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred - ( [Ver = | Size = 24 bytes | Date = 07/25/2006 08:20 | Attr = HS])
C:\WINNT\Tasks\SA.DAT - ( [Ver = | Size = 6 bytes | Date = 09/12/2006 11:07 | Attr = H ])
CPL files -
C:\WINNT\SYSTEM32\access.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 66048 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\appwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 578560 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\desk.cpl - (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 129024 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 150016 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\igfxcpl.cpl - (Intel Corporation [Ver = 3.0.0.2209 | Size = 94208 bytes | Date = 07/10/2003 03:20 | Attr = ])
C:\WINNT\SYSTEM32\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2800.1106 (xpsp1.020828-1920) | Size = 292352 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\intl.cpl - (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 121856 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\joy.cpl - (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 65536 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\jpicpl32.cpl - (Sun Microsystems, Inc. [Ver = 5.0.30.7 | Size = 49265 bytes | Date = 04/13/2005 02:48 | Attr = ])
C:\WINNT\SYSTEM32\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 187904 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\mmsys.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 559616 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\nusrmgr.cpl - (Microsoft Corporation [Ver = 6.00.2600.0000 (xpclient.010817-1148) | Size = 256000 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\odbccp32.cpl - (Microsoft Corporation [Ver = 3.520.7713.0 | Size = 36864 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\plugincpl131_02.cpl - (Sun Microsystems [Ver = 1, 3, 1, 2 | Size = 45148 bytes | Date = 11/26/2001 21:24 | Attr = ])
C:\WINNT\SYSTEM32\powercfg.cpl - (Microsoft Corporation [Ver = 6.00.2600.0000 (xpclient.010817-1148) | Size = 109056 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\prefscpl.cpl - (RealNetworks, Inc. [Ver = 6.0.9.573 | Size = 24576 bytes | Date = 11/26/2002 11:01 | Attr = ])
C:\WINNT\SYSTEM32\PROSetp.cpl - (Intel Corporation [Ver = 5.3.42.0 | Size = 770048 bytes | Date = 04/18/2002 19:30 | Attr = ])
C:\WINNT\SYSTEM32\QuickTime.cpl - (Apple Computer, Inc. [Ver = 5.0.2 | Size = 287232 bytes | Date = 12/12/2001 11:05 | Attr = ])
C:\WINNT\SYSTEM32\scmgrcpl.cpl - (Caere Corporation [Ver = 3, 0, 1, 64 | Size = 89600 bytes | Date = 04/30/1998 16:13 | Attr = ])
C:\WINNT\SYSTEM32\sysdm.cpl - (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 268288 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\timedate.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 90112 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 05/26/2005 03:16 | Attr = ])
C:\WINNT\SYSTEM32\DIBACKUP\DIRECTX\joy.cpl - (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 65536 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\access.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 66048 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\appwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 578560 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\desk.cpl - (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 129024 bytes | Date = 08/29/2002 03:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 150016 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2800.1106 (xpsp1.020828-1920) | Size = 292352 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\intl.cpl - (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 121856 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\joy.cpl - (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 65536 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 187904 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\mmsys.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 559616 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\nusrmgr.cpl - (Microsoft Corporation [Ver = 6.00.2600.0000 (xpclient.010817-1148) | Size = 256000 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl - (Microsoft Corporation [Ver = 3.520.7713.0 | Size = 36864 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\powercfg.cpl - (Microsoft Corporation [Ver = 6.00.2600.0000 (xpclient.010817-1148) | Size = 109056 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\sapi.cpl - (Microsoft Corporation [Ver = 5.1.4111.00 (xpsp1.020828-1920) | Size = 147456 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\sysdm.cpl - (Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 268288 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\timedate.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 90112 bytes | Date = 08/29/2002 08:00 | Attr = ])
C:\WINNT\SYSTEM32\ReinstallBackups\0006\DriverFiles\igfxcpl.cpl - (Intel Corporation [Ver = 3,0,0,1607 | Size = 94208 bytes | Date = 05/14/2002 21:24 | Attr = ])

AllUsers Startup Folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 09/03/2002 13:34 | Attr = HS])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk - ( [Ver = | Size = 881 bytes | Date = 12/28/2002 16:05 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk - ( [Ver = | Size = 551 bytes | Date = 02/25/2004 13:52 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LastQUIT v1.2.lnk - ( [Ver = | Size = 1842 bytes | Date = 01/14/2003 09:41 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk - ( [Ver = | Size = 736 bytes | Date = 12/29/2002 20:45 | Attr = ])

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 09/03/2002 13:23 | Attr = HS])

CurrentUser Startup Folder
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 09/03/2002 13:34 | Attr = HS])
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe - ( [Ver = 2, 0, 0, 1 | Size = 256000 bytes | Date = 12/28/2002 16:08 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\Owner\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 09/03/2002 13:23 | Attr = HS])
C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT - ( [Ver = | Size = 134776 bytes | Date = 07/17/2003 17:04 | Attr = ])

DPF files
{02BED220-FBC7-4392-93A2-3A50B056F78E} - - CodeBase = http://down.plaxo.co...ease/instub.cab
{26CBF141-7D0F-46E1-AA06-718958B6E4D2} - - CodeBase = http://download.ebay.../US/install.cab
{33564D57-0000-0010-8000-00AA00389B71} - - CodeBase = http://download.micr...922/wmv9VCM.CAB
{41F17733-B041-4099-A042-B518BB6A408C} - - CodeBase = http://a1540.g.akama...meInstaller.exe
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - BDSCANONLINE Control - CodeBase = http://download.bitd...can8/oscan8.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - MUWebControl Class - CodeBase = http://update.micros...b?1157666235546
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab
{9D190AE6-C81E-4039-8061-978EBAD10073} - F-Secure Online Scanner 3.0 - CodeBase = http://support.f-sec.../ols3/fscax.cab
{A8683C98-5341-421B-B23C-8514C05354F1} - FujifilmUploader Class - CodeBase = http://www.samsphoto...ploadClient.cab
{C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - Toontown Installer ActiveX Control - CodeBase = http://a.download.to...8.39/ttinst.cab
{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - Java Plug-in 1.3.1_02 - CodeBase = http://java.sun.com/...-131_02-win.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.ma...ent/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINNT\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab

Hosts file = 734 bytes. Reading all entries. C:\WINNT\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -

< End of report >


Here is the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:00:16 AM, on 9/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\Plaxo\2.8.1.2\PlaxoHelper.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\Internet Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\2.8.1.2\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: LastQUIT v1.2.lnk = C:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.co...ease/instub.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157666235546
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphoto...ploadClient.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...8.39/ttinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Unknown owner - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe (file missing)
O23 - Service: InterBase Server (InterBaseServer) - Unknown owner - C:\Program Files\Borland\Interbase\Bin\IBServer.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

#15
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Delete the following file:

C:\WINNT\SYSTEM32\nsi957.dll

Empty recycle bin.. Let me know if you have problems deleting it.

Next, surf to: www.virustotal.com

Paste the following filepath to the empty field next to the "Browse" button and hit "Send":

C:\WINNT\SYSTEM32\jsdvwsdk.dll

Then be patient, it might take a file, once the scanners have scanned it all, then copy & paste the results here. :whistling:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP