Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Winantivirus help! [RESOLVED]

Started by civicvteck , Sep 28 2006 09:25 PM

This topic is locked

#1
civicvteck

Posted 28 September 2006 - 09:25 PM

Member

Member
13 posts

Help, I have this winantivirus on my computer and I cant make it stop. Pop ups are coming up all the time now.

I tried Vundo, and I am not sure if what I am doing is even working. I tried to restore to an earlier location, but it wont let me!

I need serious help PLEASE!

#2
civicvteck

Posted 28 September 2006 - 09:41 PM

Member

Topic Starter
Member
13 posts

Ok, so I used Vundofix.exe in combination with virtumundobegone, and it says that its no longer on my computer. So thats one step forwards. But i still get all these pop ups! :whistling:

#3
civicvteck

Posted 28 September 2006 - 09:52 PM

Member

Topic Starter
Member
13 posts

Logfile of HijackThis v1.99.1
Scan saved at 11:47:02 PM, on 9/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\issearch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\thiselt.exe
C:\windows\system32\oldsregl.exe
C:\WINDOWS\sys028888536212.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lwinmpes.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Cyrus Abdollahi\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.physicsforums.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B04D533-726F-6228-81B8-03D2B582C08E} - C:\WINDOWS\system32\cmmob.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsi207.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\fisaasqf.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Cyrus Abdollahi\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bmrhggj.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bmrhggj.dll,pydqnvc
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [{2D-D4-47-72-ZN}] C:\windows\system32\oldsregl.exe ELT001
O4 - HKLM\..\Run: [sys028888536212] C:\WINDOWS\sys028888536212.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lwinmpes.exe ELT001
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\lwinmpes.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1159494503562
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q3lydXMgQWJkb2xsYWhp\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

#4
civicvteck

Posted 28 September 2006 - 09:54 PM

Member

Topic Starter
Member
13 posts

[09/28/2006, 23:21:18] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Cyrus Abdollahi\Desktop\VirtumundoBeGone.exe" )
[09/28/2006, 23:21:23] - Detected System Information:
[09/28/2006, 23:21:23] - Windows Version: 5.1.2600, Service Pack 2
[09/28/2006, 23:21:23] - Current Username: Cyrus Abdollahi (Admin)
[09/28/2006, 23:21:23] - Windows is in NORMAL mode.
[09/28/2006, 23:21:23] - Searching for Browser Helper Objects:
[09/28/2006, 23:21:23] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[09/28/2006, 23:21:23] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/28/2006, 23:21:23] - BHO 3: {2B04D533-726F-6228-81B8-03D2B582C08E} ()
[09/28/2006, 23:21:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:21:23] - Checking for HKLM\...\Winlogon\Notify\cmmob
[09/28/2006, 23:21:23] - Key not found: HKLM\...\Winlogon\Notify\cmmob, continuing.
[09/28/2006, 23:21:23] - BHO 4: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[09/28/2006, 23:21:23] - BHO 5: {a43385f0-7113-496d-96d7-b9b550e3fcca} ()
[09/28/2006, 23:21:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:21:23] - Checking for HKLM\...\Winlogon\Notify\ixt0
[09/28/2006, 23:21:23] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[09/28/2006, 23:21:23] - BHO 6: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/28/2006, 23:21:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:21:23] - Checking for HKLM\...\Winlogon\Notify\fisaasqf
[09/28/2006, 23:21:23] - Key not found: HKLM\...\Winlogon\Notify\fisaasqf, continuing.
[09/28/2006, 23:21:23] - BHO 7: {C7A2C426-DEC6-47A9-8E62-66712051A348} ()
[09/28/2006, 23:21:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:21:23] - Checking for HKLM\...\Winlogon\Notify\jkhhh
[09/28/2006, 23:21:23] - Found: HKLM\...\Winlogon\Notify\jkhhh - This is probably Virtumundo.
[09/28/2006, 23:21:23] - Assigning {C7A2C426-DEC6-47A9-8E62-66712051A348} MSEvents Object
[09/28/2006, 23:21:23] - BHO list has been changed! Starting over...
[09/28/2006, 23:21:23] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[09/28/2006, 23:21:23] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/28/2006, 23:21:23] - BHO 3: {2B04D533-726F-6228-81B8-03D2B582C08E} ()
[09/28/2006, 23:21:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:21:23] - Checking for HKLM\...\Winlogon\Notify\cmmob
[09/28/2006, 23:21:23] - Key not found: HKLM\...\Winlogon\Notify\cmmob, continuing.
[09/28/2006, 23:21:23] - BHO 4: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[09/28/2006, 23:21:23] - BHO 5: {a43385f0-7113-496d-96d7-b9b550e3fcca} ()
[09/28/2006, 23:21:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:21:23] - Checking for HKLM\...\Winlogon\Notify\ixt0
[09/28/2006, 23:21:23] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[09/28/2006, 23:21:23] - BHO 6: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/28/2006, 23:21:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:21:23] - Checking for HKLM\...\Winlogon\Notify\fisaasqf
[09/28/2006, 23:21:23] - Key not found: HKLM\...\Winlogon\Notify\fisaasqf, continuing.
[09/28/2006, 23:21:23] - BHO 7: {C7A2C426-DEC6-47A9-8E62-66712051A348} (MSEvents Object)
[09/28/2006, 23:21:23] - ALERT: Found MSEvents Object!
[09/28/2006, 23:21:23] - Finished Searching Browser Helper Objects
[09/28/2006, 23:21:23] - *** Detected MSEvents Object
[09/28/2006, 23:21:23] - Trying to remove MSEvents Object...
[09/28/2006, 23:21:24] - Terminating Process: IEXPLORE.EXE
[09/28/2006, 23:21:24] - Terminating Process: RUNDLL32.EXE
[09/28/2006, 23:21:24] - Disabling Automatic Shell Restart
[09/28/2006, 23:21:25] - Terminating Process: EXPLORER.EXE
[09/28/2006, 23:21:25] - Suspending the NT Session Manager System Service
[09/28/2006, 23:21:25] - Terminating Windows NT Logon/Logoff Manager
[09/28/2006, 23:21:26] - Re-enabling Automatic Shell Restart
[09/28/2006, 23:21:26] - File to disable: C:\WINDOWS\system32\jkhhh.dll
[09/28/2006, 23:21:26] - Renaming C:\WINDOWS\system32\jkhhh.dll -> C:\WINDOWS\system32\jkhhh.dll.vir
[09/28/2006, 23:21:26] - File successfully renamed!
[09/28/2006, 23:21:26] - Removing HKLM\...\Browser Helper Objects\{C7A2C426-DEC6-47A9-8E62-66712051A348}
[09/28/2006, 23:21:26] - Removing HKCR\CLSID\{C7A2C426-DEC6-47A9-8E62-66712051A348}
[09/28/2006, 23:21:26] - Adding Kill Bit for ActiveX for GUID: {C7A2C426-DEC6-47A9-8E62-66712051A348}
[09/28/2006, 23:21:26] - Deleting ATLEvents/MSEvents Registry entries
[09/28/2006, 23:21:26] - Removing HKLM\...\Winlogon\Notify\jkhhh
[09/28/2006, 23:21:26] - Searching for Browser Helper Objects:
[09/28/2006, 23:21:26] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[09/28/2006, 23:21:26] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/28/2006, 23:21:26] - BHO 3: {2B04D533-726F-6228-81B8-03D2B582C08E} ()
[09/28/2006, 23:21:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:21:26] - Checking for HKLM\...\Winlogon\Notify\cmmob
[09/28/2006, 23:21:26] - Key not found: HKLM\...\Winlogon\Notify\cmmob, continuing.
[09/28/2006, 23:21:26] - BHO 4: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[09/28/2006, 23:21:26] - BHO 5: {a43385f0-7113-496d-96d7-b9b550e3fcca} ()
[09/28/2006, 23:21:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:21:26] - Checking for HKLM\...\Winlogon\Notify\ixt0
[09/28/2006, 23:21:26] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[09/28/2006, 23:21:26] - BHO 6: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/28/2006, 23:21:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:21:26] - Checking for HKLM\...\Winlogon\Notify\fisaasqf
[09/28/2006, 23:21:26] - Key not found: HKLM\...\Winlogon\Notify\fisaasqf, continuing.
[09/28/2006, 23:21:26] - Finished Searching Browser Helper Objects
[09/28/2006, 23:21:26] - Finishing up...
[09/28/2006, 23:21:26] - A restart is needed.
[09/28/2006, 23:21:26] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[09/28/2006, 23:21:34] - Attempting to Restart via STOP error (Blue Screen!)

[09/28/2006, 23:30:57] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Cyrus Abdollahi\Desktop\VirtumundoBeGone.exe" )
[09/28/2006, 23:30:58] - Detected System Information:
[09/28/2006, 23:30:58] - Windows Version: 5.1.2600, Service Pack 2
[09/28/2006, 23:30:58] - Current Username: Cyrus Abdollahi (Admin)
[09/28/2006, 23:30:58] - Windows is in NORMAL mode.
[09/28/2006, 23:30:58] - Searching for Browser Helper Objects:
[09/28/2006, 23:30:58] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[09/28/2006, 23:30:58] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/28/2006, 23:30:58] - BHO 3: {2B04D533-726F-6228-81B8-03D2B582C08E} ()
[09/28/2006, 23:30:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:30:58] - Checking for HKLM\...\Winlogon\Notify\cmmob
[09/28/2006, 23:30:58] - Key not found: HKLM\...\Winlogon\Notify\cmmob, continuing.
[09/28/2006, 23:30:58] - BHO 4: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[09/28/2006, 23:30:58] - BHO 5: {a43385f0-7113-496d-96d7-b9b550e3fcca} ()
[09/28/2006, 23:30:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:30:58] - Checking for HKLM\...\Winlogon\Notify\ixt0
[09/28/2006, 23:30:58] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[09/28/2006, 23:30:58] - BHO 6: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/28/2006, 23:30:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:30:58] - Checking for HKLM\...\Winlogon\Notify\fisaasqf
[09/28/2006, 23:30:58] - Key not found: HKLM\...\Winlogon\Notify\fisaasqf, continuing.
[09/28/2006, 23:30:58] - Finished Searching Browser Helper Objects
[09/28/2006, 23:30:58] - Finishing up...
[09/28/2006, 23:30:58] - Nothing found! Exiting...

[09/28/2006, 23:31:13] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Cyrus Abdollahi\Desktop\VirtumundoBeGone.exe" )
[09/28/2006, 23:31:14] - Detected System Information:
[09/28/2006, 23:31:14] - Windows Version: 5.1.2600, Service Pack 2
[09/28/2006, 23:31:14] - Current Username: Cyrus Abdollahi (Admin)
[09/28/2006, 23:31:14] - Windows is in NORMAL mode.
[09/28/2006, 23:31:14] - Searching for Browser Helper Objects:
[09/28/2006, 23:31:14] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[09/28/2006, 23:31:14] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/28/2006, 23:31:14] - BHO 3: {2B04D533-726F-6228-81B8-03D2B582C08E} ()
[09/28/2006, 23:31:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:31:14] - Checking for HKLM\...\Winlogon\Notify\cmmob
[09/28/2006, 23:31:14] - Key not found: HKLM\...\Winlogon\Notify\cmmob, continuing.
[09/28/2006, 23:31:14] - BHO 4: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[09/28/2006, 23:31:14] - BHO 5: {a43385f0-7113-496d-96d7-b9b550e3fcca} ()
[09/28/2006, 23:31:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:31:14] - Checking for HKLM\...\Winlogon\Notify\ixt0
[09/28/2006, 23:31:14] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[09/28/2006, 23:31:14] - BHO 6: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/28/2006, 23:31:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:31:14] - Checking for HKLM\...\Winlogon\Notify\fisaasqf
[09/28/2006, 23:31:14] - Key not found: HKLM\...\Winlogon\Notify\fisaasqf, continuing.
[09/28/2006, 23:31:14] - Finished Searching Browser Helper Objects
[09/28/2006, 23:31:14] - Finishing up...
[09/28/2006, 23:31:14] - Nothing found! Exiting...

[09/28/2006, 23:35:21] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Cyrus Abdollahi\Desktop\VirtumundoBeGone.exe" )
[09/28/2006, 23:35:22] - Detected System Information:
[09/28/2006, 23:35:22] - Windows Version: 5.1.2600, Service Pack 2
[09/28/2006, 23:35:22] - Current Username: Cyrus Abdollahi (Admin)
[09/28/2006, 23:35:22] - Windows is in NORMAL mode.
[09/28/2006, 23:35:22] - Searching for Browser Helper Objects:
[09/28/2006, 23:35:22] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[09/28/2006, 23:35:22] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/28/2006, 23:35:22] - BHO 3: {2B04D533-726F-6228-81B8-03D2B582C08E} ()
[09/28/2006, 23:35:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:35:22] - Checking for HKLM\...\Winlogon\Notify\cmmob
[09/28/2006, 23:35:22] - Key not found: HKLM\...\Winlogon\Notify\cmmob, continuing.
[09/28/2006, 23:35:22] - BHO 4: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[09/28/2006, 23:35:22] - BHO 5: {a43385f0-7113-496d-96d7-b9b550e3fcca} ()
[09/28/2006, 23:35:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:35:22] - Checking for HKLM\...\Winlogon\Notify\ixt0
[09/28/2006, 23:35:22] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[09/28/2006, 23:35:22] - BHO 6: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/28/2006, 23:35:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:35:22] - Checking for HKLM\...\Winlogon\Notify\fisaasqf
[09/28/2006, 23:35:22] - Key not found: HKLM\...\Winlogon\Notify\fisaasqf, continuing.
[09/28/2006, 23:35:22] - Finished Searching Browser Helper Objects
[09/28/2006, 23:35:22] - Finishing up...
[09/28/2006, 23:35:22] - Nothing found! Exiting...

[09/28/2006, 23:38:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Cyrus Abdollahi\Desktop\VirtumundoBeGone.exe" )
[09/28/2006, 23:38:21] - Detected System Information:
[09/28/2006, 23:38:21] - Windows Version: 5.1.2600, Service Pack 2
[09/28/2006, 23:38:21] - Current Username: Cyrus Abdollahi (Admin)
[09/28/2006, 23:38:21] - Windows is in NORMAL mode.
[09/28/2006, 23:38:21] - Searching for Browser Helper Objects:
[09/28/2006, 23:38:21] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[09/28/2006, 23:38:21] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/28/2006, 23:38:21] - BHO 3: {2B04D533-726F-6228-81B8-03D2B582C08E} ()
[09/28/2006, 23:38:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:38:21] - Checking for HKLM\...\Winlogon\Notify\cmmob
[09/28/2006, 23:38:21] - Key not found: HKLM\...\Winlogon\Notify\cmmob, continuing.
[09/28/2006, 23:38:21] - BHO 4: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[09/28/2006, 23:38:21] - BHO 5: {a43385f0-7113-496d-96d7-b9b550e3fcca} ()
[09/28/2006, 23:38:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:38:21] - Checking for HKLM\...\Winlogon\Notify\ixt0
[09/28/2006, 23:38:21] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[09/28/2006, 23:38:21] - BHO 6: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/28/2006, 23:38:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/28/2006, 23:38:21] - Checking for HKLM\...\Winlogon\Notify\fisaasqf
[09/28/2006, 23:38:21] - Key not found: HKLM\...\Winlogon\Notify\fisaasqf, continuing.
[09/28/2006, 23:38:21] - Finished Searching Browser Helper Objects
[09/28/2006, 23:38:21] - Finishing up...
[09/28/2006, 23:38:21] - Nothing found! Exiting...

#5
Ryan

Posted 28 September 2006 - 09:58 PM

Member 4k

Member
4,867 posts

being helped in chat

-Ryan

#6
Ryan

Posted 28 September 2006 - 10:16 PM

Member 4k

Member
4,867 posts

hi civicteck, welcome to geekstogo. I'm Ryan, and I'll be helping you clean your computer.

This will be a multi step process, but don't worry, we'll soon have your computer nice and clean for you.

I noticed that you don't have an antivirus running. I need you to install one before we procede any further. Otherwise, we'll both be wasting our time.

Please install ONE (and only one) of the following antivirus programs (they are free for personal use):

Once you have installed one, please update it according to its documentation.

SmitRem

Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of ewido anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Close ewido anti-malware.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When the download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

-Ryan

#7
civicvteck

Posted 28 September 2006 - 11:09 PM

Member

Topic Starter
Member
13 posts

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:07:07 AM 9/29/2006

+ Scan result:

C:\Program Files\Alwil Software\Avast4\DATA\moved\thiselt.exe.vir -> Adware.Agent : Cleaned with backup (quarantined).
C:\Documents and Settings\Cyrus Abdollahi\Local Settings\Temp\temp.fr5B8F -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\Cyrus Abdollahi\Local Settings\Temp\NNBar_VCSetup_876057.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Cyrus Abdollahi\Local Settings\Temp\mit20E.tmp.cab/NNBar_VCSetup_876057.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Cyrus Abdollahi\Local Settings\Temp\mit20E.tmp/NNBar_VCSetup_876057.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\MirarSetup_876057.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\__delete_on_reboot__a_d_r_o_t_a_t_e_._d_l_l_ -> Adware.TrafficSol : Cleaned with backup (quarantined).
C:\VundoFix Backups\vtusqqp.dll.bad -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\Program Files\Alwil Software\Avast4\DATA\moved\dwdsregt.exe.vir -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\Program Files\Alwil Software\Avast4\DATA\moved\oldsregl.exe.vir -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\TIELT001.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\idlemg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINDOWS\ac3_0002.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\Program Files\Alwil Software\Avast4\DATA\moved\sys028888536212.exe.vir -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\WINDOWS\__delete_on_reboot__s_y_s_1_0_1_2_8_8_8_8_5_3_6_2_._e_x_e_ -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\WINDOWS\sys028888536212.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\components\flx7.dll -> Not-A-Virus.Hoax.Win32.Renos.ds : Ignored.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@7search[2].txt -> TrackingCookie.7search : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Epilot : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@roispy[1].txt -> TrackingCookie.Roispy : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Cookies\cyrus abdollahi@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Cyrus Abdollahi\Local Settings\Temp\mst1F0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\uni_ehhhh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\uninst104.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).

::Report end

#8
Ryan

Posted 28 September 2006 - 11:35 PM

Member 4k

Member
4,867 posts

I would like to see an Uninstall list.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)

If you cannot save the uninstall list, please rename HiJack This to anything you wish, and then try to save it.
If you had to rename it to save the list, please let me know

-Ryan

#9
civicvteck

Posted 29 September 2006 - 12:02 AM

Member

Topic Starter
Member
13 posts

Logfile of HijackThis v1.99.1
Scan saved at 2:01:59 AM, on 9/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\lwinmpes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cyrus Abdollahi\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://physicsforums.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B04D533-726F-6228-81B8-03D2B582C08E} - C:\WINDOWS\system32\cmmob.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsi207.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\fisaasqf.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Cyrus Abdollahi\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bmrhggj.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bmrhggj.dll,pydqnvc
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lwinmpes.exe ELT001
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\lwinmpes.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1159494503562
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q3lydXMgQWJkb2xsYWhp\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

#10
civicvteck

Posted 29 September 2006 - 12:07 AM

Member

Topic Starter
Member
13 posts

smitRem © log file
version 3.2

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Fri 09/29/2006
The current time is: 1:21:56.17

Running from
C:\Documents and Settings\Cyrus Abdollahi\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe ©2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

checking for drsmartload2 key

drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

ismini.exe
issearch.exe
ixt*.dll
amcompat.tlb
nscompat.tlb
logfiles

~~~ Icons in System32 ~~~

ts.ico
ot.ico

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 948 'explorer.exe'
Killing PID 948 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :whistling:

#11
civicvteck

Posted 29 September 2006 - 12:09 AM

Member

Topic Starter
Member
13 posts

Ad-Aware SE Personal
Adobe Reader 7.0
America's Army
AOL Instant Messenger
ATI Control Panel
ATI Display Driver
avast! Antivirus
Consumer Complete Care Services Agreement
Crystal10
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell Support 5.0.0 (630)
DivX
DivX Converter
DivX Player
EarthLink setup files
Easy CD & DVD Creator 6
EES - Engineering Equation Solver
EES - Engineering Equation Solver (Limited Academic Version)
Enhanced Ads by Think-Adz removal
Enhanced Browser Overlay
ewido anti-spyware 4.0
FEMAP v9.1
FMS
GdiplusUpgrade
Get High Speed Internet!
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
hp deskjet 5600
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
HP Software Update
Intel® 537EP V9x DF PCI Modem
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Linksys Wireless-G USB Network Adapter
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash Player
Macromedia Flash Player 8
Macromedia Shockwave Player
Maxtor OneTouch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Flight Simulator X Demo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Standard
Microsoft Office Basic Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Visual C++ 2005 Redistributable
Modem Event Monitor
Modem Helper
Modem On Hold
MSN
MSXML 4.0 SP2 Parser and SDK
Musicmatch® Jukebox
OrCAD 10.5 Demo
Panda ActiveScan
PowerDVD 5.3
Qualxserve Service Agreement
QuickTime
RealPlayer
Retrospect Express HD 1.0
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB925486)
Uninstall EyeMax DVR
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
USB Storage Adapter FX (MXO)
Viewpoint Media Player
WildTangent Web Driver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Install Manager
Yahoo! Toolbar for Internet Explorer

***I did not have to rename***

#12
civicvteck

Posted 29 September 2006 - 12:39 AM

Member

Topic Starter
Member
13 posts

Ok, so you know, I deleted two suspicious files from my control panel.

They were:

'Enhanced Ads by Think-adz'
'Enhanced Browser Over lay'

Also, I am in safe mode and doing a deep scan with avast.

Ill post the results of that, and ewido once there done.

#13
Ryan

Posted 29 September 2006 - 09:35 AM

Member 4k

Member
4,867 posts

HI civicteck, let's get started on the next part.

You will want to print out a copy of these instructions to follow while you complete this procedure, as you will not be able to access the internet later in the fix.

== HiJack This ==

Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)

O2 - BHO: (no name) - {2B04D533-726F-6228-81B8-03D2B582C08E} - C:\WINDOWS\system32\cmmob.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsi207.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\fisaasqf.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
O4 - HKLM\..\Run: [bmrhggj.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bmrhggj.dll,pydqnvc
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lwinmpes.exe ELT001
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\lwinmpes.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q3lydXMgQWJkb2xsYWhp\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Close all open windows except for HiJack This and click fix checked.

== Delete Services ==

Please go to Start > Run, and paste in the following command sc delete cmdServicePress OK, and then repeat the process with the command sc delete "Network Monitor"

== Delete Files/Folders==

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Remove the following files / folders in bold (if found):

C:\Program Files\Network Monitor << This folder
C:\WINDOWS\Q3lydXMgQWJkb2xsYWhp << This folder

C:\WINDOWS\system32\adrotate.dll << This file
C:\WINDOWS\system32\bmrhggj.dll << This file
C:\WINDOWS\system32\cmmob.dll << This file
C:\WINDOWS\system32\fisaasqf.dll << This file
C:\WINDOWS\system32\nsi207.dll << This file
C:\WINDOWS\system32\lwinmpes.exe << This file

C:\WINDOWS\Duce6.exe << This file

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :whistling:

-Ryan

#14
civicvteck

Posted 29 September 2006 - 01:44 PM

Member

Topic Starter
Member
13 posts

Ok, I followed your directions and here is the Hijack

Logfile of HijackThis v1.99.1
Scan saved at 3:43:12 PM, on 9/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Documents and Settings\Cyrus Abdollahi\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://physicsforums.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Cyrus Abdollahi\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1159494503562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

How does it look?

#15
Ryan

Posted 29 September 2006 - 01:49 PM

Member 4k

Member
4,867 posts

Update Java and Clear Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
- http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
Downloaded Applications
Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

Next, let's make a new restore point and get rid of the others.Step #1 - Create a New Restore Point

Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.

Step #2 - Flush All Previous Points

Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point.

Please post a new HiJack This log when you have finished.

-Ryan

Edited by rmurphy, 29 September 2006 - 01:49 PM.