Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

win antivirus pro popups!


  • Please log in to reply

#1
anxiety

anxiety

    Member

  • Member
  • PipPip
  • 14 posts
I just got the popups today.. heres my hijack this log ( Renamed it to fallen944.exe before I ran it )

Logfile of HijackThis v1.99.1
Scan saved at 2:03:44 AM, on 10/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\ismon.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Steam\steam.exe
C:\DOCUME~1\DREWRE~1\LOCALS~1\Temp\mmxsnet.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Documents and Settings\Drew Reedy\Desktop\HLSS 3.00.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Drew Reedy\Desktop\fallen944.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esportsea.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\mxoosgsu.dll
O2 - BHO: (no name) - {CBEDC6AD-E9FB-4E11-AFF7-09EDBAA456F1} - C:\WINDOWS\System32\ddaba.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\Villa\MANSION.exe
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\Villa\MANSION.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144595065591
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144595055623
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: ddaba - C:\WINDOWS\System32\ddaba.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi anxiety and Welcome to GeekstoGo!

Lets take care of smitfraud first then we will move onto the other infection.


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


After posting that log,Please download Combofix to your desktop.
http://download.blee...Bs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply.
  • 0

#3
anxiety

anxiety

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
SmitFraudFix v2.104

Scan done at 23:18:39.37, Wed 10/04/2006
Run from C:\Documents and Settings\Drew Reedy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Drew Reedy


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Drew Reedy\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DREWRE~1\FAVORI~1

C:\DOCUME~1\DREWRE~1\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
anxiety

anxiety

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Drew Reedy\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ismon.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-09-04 to 2006-10-04 ))))))))))))))))))))))))))))))))))


2006-10-04 23:18 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-04 23:18 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-04 23:18 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-04 23:18 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-04 01:23 86,036 --a------ C:\WINDOWS\system32\mxoosgsu.dll
2006-10-04 01:23 820,901 ---hs---- C:\WINDOWS\system32\abadd.bak1
2006-10-04 01:23 45,525 --a------ C:\WINDOWS\system32\wlvfjwws.dll
2006-10-04 01:23 143,380 --a------ C:\WINDOWS\system32\xfihxbht.exe
2006-10-03 21:23 577,588 ---hs---- C:\WINDOWS\system32\ddaba.dll
2006-10-03 21:17 40,973 ---hs---- C:\WINDOWS\system32\tuvtqon.dll
2006-09-25 12:38 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-09-25 12:38 33,152 --a------ C:\WINDOWS\system32\drivers\hidclass.sys
2006-09-25 12:38 23,680 --a------ C:\WINDOWS\system32\drivers\hidparse.sys
2006-09-25 12:38 13,225 --a------ C:\WINDOWS\system32\drivers\Razerlow.sys
2006-09-22 21:15 81,920 --a------ C:\WINDOWS\system32\nicmgr.exe
2006-09-22 21:15 57,344 --a------ C:\WINDOWS\system32\nicmgr.dll
2006-09-22 17:47 10,664 --a------ C:\WINDOWS\system32\gan_adapter.sys
2006-09-22 17:47 10,664 --a------ C:\WINDOWS\system32\drivers\gan_adapter.sys
2006-09-15 22:04 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-09-15 22:02 89,984 --a------ C:\WINDOWS\system32\drivers\sptd3421.sys
2006-09-15 22:02 643,072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-09-15 20:33 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2006-09-15 20:29 73,728 --a------ C:\WINDOWS\system32\cliconfg.dll
2006-09-15 20:29 73,728 --------- C:\WINDOWS\system32\dbnetlib.dll
2006-09-15 20:29 44,032 --a------ C:\WINDOWS\system32\msxml3r.dll
2006-09-15 20:29 401,408 --------- C:\WINDOWS\system32\sqlsrv32.dll
2006-09-15 20:29 4,656 --a------ C:\WINDOWS\system32\ds16gt.dll
2006-09-15 20:29 36,864 --a------ C:\WINDOWS\system32\mscpxl32.dll
2006-09-15 20:29 28,672 --a------ C:\WINDOWS\system32\dbnmpntw.dll
2006-09-15 20:29 28,672 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2006-09-15 20:29 24,576 --a------ C:\WINDOWS\system32\dbmsvinn.dll
2006-09-15 20:29 24,576 --a------ C:\WINDOWS\system32\dbmsrpcn.dll
2006-09-15 20:29 24,576 --a------ C:\WINDOWS\system32\dbmsadsn.dll
2006-09-15 20:29 24,576 --------- C:\WINDOWS\system32\odbcbcp.dll
2006-09-15 20:29 20,480 --a------ C:\WINDOWS\system32\cliconfg.exe
2006-09-15 20:29 180,800 --------- C:\WINDOWS\system32\sqlunirl.dll
2006-09-15 20:29 1,129,472 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-15 20:28 94,208 --a------ C:\WINDOWS\system32\odbcint.dll
2006-09-15 20:28 61,440 --a------ C:\WINDOWS\system32\odbccu32.dll
2006-09-15 20:28 61,440 --a------ C:\WINDOWS\system32\odbccr32.dll
2006-09-15 20:28 32,768 --a------ C:\WINDOWS\system32\odbcad32.exe
2006-09-15 20:28 26,224 --a------ C:\WINDOWS\system32\odbc16gt.dll
2006-09-15 20:28 221,184 --a------ C:\WINDOWS\system32\odbc32.dll
2006-09-15 20:28 20,480 --a------ C:\WINDOWS\system32\msorc32r.dll
2006-09-15 20:28 16,384 --a------ C:\WINDOWS\system32\odbc32gt.dll
2006-09-15 20:28 16,384 --a------ C:\WINDOWS\system32\ds32gt.dll
2006-09-15 20:28 147,456 --a------ C:\WINDOWS\system32\odbctrac.dll
2006-09-15 20:28 143,360 --a------ C:\WINDOWS\system32\msdart.dll
2006-09-15 20:28 139,264 --a------ C:\WINDOWS\system32\msorcl32.dll
2006-09-15 20:28 102,400 --a------ C:\WINDOWS\system32\odbccp32.dll
2006-09-12 23:24 131,072 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-09-12 22:01 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-04 23:31 -------- d-------- C:\Program Files\Common Files
2006-10-04 23:11 -------- d-------- C:\Program Files\Steam
2006-10-04 18:52 -------- d-------- C:\Program Files\mIRC
2006-10-04 01:24 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\SearchToolbarCorp
2006-10-04 01:23 -------- d-------- C:\Program Files\VSToolbar
2006-10-03 11:29 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Xfire
2006-10-02 21:15 -------- d-------- C:\Program Files\World of Warcraft
2006-10-01 23:35 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-01 20:48 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Azureus
2006-09-30 18:57 -------- d---s---- C:\Program Files\Xfire
2006-09-26 20:04 121052 --a------ C:\Documents and Settings\Drew Reedy\Application Data\Cosmos Prefs
2006-09-25 14:21 -------- d-------- C:\Program Files\MAIET
2006-09-25 12:38 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-25 12:38 -------- d-------- C:\Program Files\Razer
2006-09-23 21:30 -------- d-------- C:\Program Files\PlayLinc
2006-09-21 16:44 -------- d-------- C:\Program Files\Warsow
2006-09-21 03:25 -------- d-------- C:\Program Files\GameSpy Arcade
2006-09-21 03:22 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-09-21 02:47 -------- d-------- C:\Program Files\Sierra
2006-09-20 00:21 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Aim
2006-09-15 22:04 -------- d-------- C:\Program Files\DAEMON Tools
2006-09-15 20:59 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Sony
2006-09-15 20:37 -------- d-------- C:\Program Files\Vstplugins
2006-09-15 20:37 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Publish Providers
2006-09-15 20:33 -------- d-------- C:\Program Files\Microsoft SQL Server
2006-09-15 20:29 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-15 20:28 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-15 20:27 -------- d-------- C:\Program Files\Sony
2006-09-15 20:26 -------- d-------- C:\Program Files\Sony Setup
2006-09-14 16:00 -------- d-------- C:\Program Files\Silkroad
2006-09-13 02:40 -------- d-------- C:\Program Files\GoldWave
2006-09-13 01:01 -------- d-------- C:\Program Files\NCH Swift Sound
2006-09-13 00:59 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\NCH Swift Sound
2006-09-12 23:24 -------- d-------- C:\Program Files\Illustrate
2006-09-12 16:52 -------- d-------- C:\Program Files\Lineage II
2006-09-12 16:51 -------- d-------- C:\Program Files\Diablo II
2006-09-08 19:48 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Yahoo!
2006-09-08 19:47 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-09-08 15:17 -------- d-------- C:\Program Files\Winamp
2006-09-07 15:55 -------- d-------- C:\Program Files\Azureus
2006-09-07 02:59 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\NHN Corporation
2006-09-05 21:31 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\vlc
2006-09-05 20:53 -------- d-------- C:\Program Files\VideoLAN
2006-08-28 18:43 -------- d-------- C:\Program Files\ESEA
2006-08-26 19:26 -------- d-------- C:\Program Files\PokerStars
2006-08-24 21:46 -------- d-------- C:\Program Files\TrackMania Nations ESWC
2006-08-23 20:30 -------- d-------- C:\Program Files\Warcraft III
2006-08-21 19:13 -------- d-------- C:\Program Files\StepMania
2006-08-20 10:58 -------- d-------- C:\Program Files\GetRight
2006-08-17 23:45 -------- d-------- C:\Program Files\Windows Media Player
2006-08-14 17:50 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\AdobeUM
2006-08-07 01:25 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\SecondLife


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Steam"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"razer"="C:\\Program Files\\Razer\\razerhid.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\EA Core]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Core"
"hkey"="HKCU"
"command"="C:\\Program Files\\Electronic Arts\\EA Downloader\\Core.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Outpost Firewall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="outpost"
"hkey"="HKLM"
"command"="C:\\Program Files\\Agnitum\\Outpost Firewall\\outpost.exe /waitservice"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\OutpostFeedBack]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="feedback"
"hkey"="HKLM"
"command"="C:\\Program Files\\Agnitum\\Outpost Firewall\\feedback.exe /dump:os_startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SsAAD.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SsAAD"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaba

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Wed 10/04/2006 23:31:41.46
ComboFix.txt
ComboFix2.txt
  • 0

#5
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



After posting C:\rapport.txt,Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the entries below into the open boxes
    • C:\WINDOWS\system32\xfihxbht.exe
    • C:\WINDOWS\system32\ddaba.dll
    • C:\WINDOWS\system32\mxoosgsu.dll
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Once completed,post the 2 logs requested in a seperate reply.



Click Start--> Click Run--> Copy&Paste the command below into the Open Run Box and Click OK.

%userprofile%\Desktop\combofix.exe /v wlvfjwws tuvtqon

Let Combo Fix do its thing and save the resulting log.

Post the new ComboFix log in a seperate reply,please.
  • 0

#6
anxiety

anxiety

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
SmitFraudFix v2.104

Scan done at 16:08:58.59, Fri 10/06/2006
Run from C:\Documents and Settings\Drew Reedy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#7
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets see what the other logs tell us.
  • 0

#8
anxiety

anxiety

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 5:22:29 PM 10/6/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\xfihxbht.exe
C:\WINDOWS\system32\xfihxbht.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddaba.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mxoosgsu.dll
C:\WINDOWS\system32\mxoosgsu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddaba.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddaba.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddaba.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddaba.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!

Beginning removal...
  • 0

#9
anxiety

anxiety

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I tried the run command ug ave me but it cannot find that source....
  • 0

#10
anxiety

anxiety

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
for combofix that is....
  • 0

Advertisements


#11
anxiety

anxiety

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I ran combofix again if thats what u wanted... But I cant get that command to work in the run... If I have to do that let me know... also if I did that remove and i boot up my browser and I get all the popups will it reinstall all the trojan back into my pc?

ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Drew Reedy\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-06 to 2006-10-06 ))))))))))))))))))))))))))))))))))


2006-10-05 14:21 63,704 --a------ C:\WINDOWS\system32\ipv6monl.dll
2006-10-05 14:21 18,432 --a------ C:\svhost.exe
2006-10-05 01:23 856,900 ---hs---- C:\WINDOWS\system32\abadd.bak2
2006-10-04 23:18 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-04 23:18 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-04 23:18 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-04 23:18 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-04 01:23 820,901 ---hs---- C:\WINDOWS\system32\abadd.bak1
2006-10-04 01:23 45,525 --a------ C:\WINDOWS\system32\wlvfjwws.dll
2006-10-03 21:17 40,973 ---hs---- C:\WINDOWS\system32\tuvtqon.dll
2006-09-25 12:38 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-09-25 12:38 33,152 --a------ C:\WINDOWS\system32\drivers\hidclass.sys
2006-09-25 12:38 23,680 --a------ C:\WINDOWS\system32\drivers\hidparse.sys
2006-09-25 12:38 13,225 --a------ C:\WINDOWS\system32\drivers\Razerlow.sys
2006-09-22 21:15 81,920 --a------ C:\WINDOWS\system32\nicmgr.exe
2006-09-22 21:15 57,344 --a------ C:\WINDOWS\system32\nicmgr.dll
2006-09-22 17:47 10,664 --a------ C:\WINDOWS\system32\gan_adapter.sys
2006-09-22 17:47 10,664 --a------ C:\WINDOWS\system32\drivers\gan_adapter.sys
2006-09-15 22:04 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-09-15 22:02 89,984 --a------ C:\WINDOWS\system32\drivers\sptd3421.sys
2006-09-15 22:02 643,072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-09-15 20:33 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2006-09-15 20:29 73,728 --a------ C:\WINDOWS\system32\cliconfg.dll
2006-09-15 20:29 73,728 --------- C:\WINDOWS\system32\dbnetlib.dll
2006-09-15 20:29 44,032 --a------ C:\WINDOWS\system32\msxml3r.dll
2006-09-15 20:29 401,408 --------- C:\WINDOWS\system32\sqlsrv32.dll
2006-09-15 20:29 4,656 --a------ C:\WINDOWS\system32\ds16gt.dll
2006-09-15 20:29 36,864 --a------ C:\WINDOWS\system32\mscpxl32.dll
2006-09-15 20:29 28,672 --a------ C:\WINDOWS\system32\dbnmpntw.dll
2006-09-15 20:29 28,672 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2006-09-15 20:29 24,576 --a------ C:\WINDOWS\system32\dbmsvinn.dll
2006-09-15 20:29 24,576 --a------ C:\WINDOWS\system32\dbmsrpcn.dll
2006-09-15 20:29 24,576 --a------ C:\WINDOWS\system32\dbmsadsn.dll
2006-09-15 20:29 24,576 --------- C:\WINDOWS\system32\odbcbcp.dll
2006-09-15 20:29 20,480 --a------ C:\WINDOWS\system32\cliconfg.exe
2006-09-15 20:29 180,800 --------- C:\WINDOWS\system32\sqlunirl.dll
2006-09-15 20:29 1,129,472 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-15 20:28 94,208 --a------ C:\WINDOWS\system32\odbcint.dll
2006-09-15 20:28 61,440 --a------ C:\WINDOWS\system32\odbccu32.dll
2006-09-15 20:28 61,440 --a------ C:\WINDOWS\system32\odbccr32.dll
2006-09-15 20:28 32,768 --a------ C:\WINDOWS\system32\odbcad32.exe
2006-09-15 20:28 26,224 --a------ C:\WINDOWS\system32\odbc16gt.dll
2006-09-15 20:28 221,184 --a------ C:\WINDOWS\system32\odbc32.dll
2006-09-15 20:28 20,480 --a------ C:\WINDOWS\system32\msorc32r.dll
2006-09-15 20:28 16,384 --a------ C:\WINDOWS\system32\odbc32gt.dll
2006-09-15 20:28 16,384 --a------ C:\WINDOWS\system32\ds32gt.dll
2006-09-15 20:28 147,456 --a------ C:\WINDOWS\system32\odbctrac.dll
2006-09-15 20:28 143,360 --a------ C:\WINDOWS\system32\msdart.dll
2006-09-15 20:28 139,264 --a------ C:\WINDOWS\system32\msorcl32.dll
2006-09-15 20:28 102,400 --a------ C:\WINDOWS\system32\odbccp32.dll
2006-09-12 23:24 131,072 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-09-12 22:01 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-06 17:26 -------- d-------- C:\Program Files\Warsow
2006-10-06 16:42 -------- d-------- C:\Program Files\GetRight
2006-10-06 16:39 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-06 15:39 -------- d-------- C:\Program Files\Steam
2006-10-04 23:31 -------- d-------- C:\Program Files\Common Files
2006-10-04 18:52 -------- d-------- C:\Program Files\mIRC
2006-10-04 01:24 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\SearchToolbarCorp
2006-10-04 01:23 -------- d-------- C:\Program Files\VSToolbar
2006-10-03 11:29 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Xfire
2006-10-02 21:15 -------- d-------- C:\Program Files\World of Warcraft
2006-10-01 20:48 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Azureus
2006-09-30 18:57 -------- d---s---- C:\Program Files\Xfire
2006-09-26 20:04 121052 --a------ C:\Documents and Settings\Drew Reedy\Application Data\Cosmos Prefs
2006-09-25 14:21 -------- d-------- C:\Program Files\MAIET
2006-09-25 12:38 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-25 12:38 -------- d-------- C:\Program Files\Razer
2006-09-23 21:30 -------- d-------- C:\Program Files\PlayLinc
2006-09-21 03:25 -------- d-------- C:\Program Files\GameSpy Arcade
2006-09-21 03:22 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-09-21 02:47 -------- d-------- C:\Program Files\Sierra
2006-09-20 00:21 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Aim
2006-09-15 22:04 -------- d-------- C:\Program Files\DAEMON Tools
2006-09-15 20:59 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Sony
2006-09-15 20:37 -------- d-------- C:\Program Files\Vstplugins
2006-09-15 20:37 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Publish Providers
2006-09-15 20:33 -------- d-------- C:\Program Files\Microsoft SQL Server
2006-09-15 20:29 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-15 20:28 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-15 20:27 -------- d-------- C:\Program Files\Sony
2006-09-15 20:26 -------- d-------- C:\Program Files\Sony Setup
2006-09-14 16:00 -------- d-------- C:\Program Files\Silkroad
2006-09-13 02:40 -------- d-------- C:\Program Files\GoldWave
2006-09-13 01:01 -------- d-------- C:\Program Files\NCH Swift Sound
2006-09-13 00:59 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\NCH Swift Sound
2006-09-12 23:24 -------- d-------- C:\Program Files\Illustrate
2006-09-12 16:52 -------- d-------- C:\Program Files\Lineage II
2006-09-12 16:51 -------- d-------- C:\Program Files\Diablo II
2006-09-08 19:48 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\Yahoo!
2006-09-08 19:47 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-09-08 15:17 -------- d-------- C:\Program Files\Winamp
2006-09-07 15:55 -------- d-------- C:\Program Files\Azureus
2006-09-07 02:59 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\NHN Corporation
2006-09-05 21:31 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\vlc
2006-09-05 20:53 -------- d-------- C:\Program Files\VideoLAN
2006-08-28 18:43 -------- d-------- C:\Program Files\ESEA
2006-08-26 19:26 -------- d-------- C:\Program Files\PokerStars
2006-08-24 21:46 -------- d-------- C:\Program Files\TrackMania Nations ESWC
2006-08-23 20:30 -------- d-------- C:\Program Files\Warcraft III
2006-08-21 19:13 -------- d-------- C:\Program Files\StepMania
2006-08-17 23:45 -------- d-------- C:\Program Files\Windows Media Player
2006-08-14 17:50 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\AdobeUM
2006-08-07 01:25 -------- d-------- C:\Documents and Settings\Drew Reedy\Application Data\SecondLife


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Steam"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"razer"="C:\\Program Files\\Razer\\razerhid.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\EA Core]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Core"
"hkey"="HKCU"
"command"="C:\\Program Files\\Electronic Arts\\EA Downloader\\Core.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Outpost Firewall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="outpost"
"hkey"="HKLM"
"command"="C:\\Program Files\\Agnitum\\Outpost Firewall\\outpost.exe /waitservice"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\OutpostFeedBack]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="feedback"
"hkey"="HKLM"
"command"="C:\\Program Files\\Agnitum\\Outpost Firewall\\feedback.exe /dump:os_startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SsAAD.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SsAAD"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Fri 10/06/2006 18:44:29.45
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\system32\wlvfjwws.dll
    C:\WINDOWS\system32\tuvtqon.dll
    C:\WINDOWS\system32\abadd.bak2
    C:\WINDOWS\system32\abadd.bak1


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Edited by Cretemonster, 06 October 2006 - 06:31 PM.

  • 0

#13
anxiety

anxiety

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
The program froze on the 29th item... I am going to restart it.. Ill post another report a log with a hijack this log...

Result: 37 malware found
Packed.Win32.Klone.k (virus)
C:\!KILLBOX\WLVFJWWS.DLL (Submitted)
Possible Browser Hijack attempt (spyware)
System
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System (Submitted)
System
System
System
System
System
System
Trojan-Clicker.Win32.VB.lb (virus)
C:\DOCUMENTS AND SETTINGS\DREW REEDY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\I1O3M56X\PRE[1].EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\DREW REEDY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\I1O3M56X\PRE[2].EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\DREW REEDY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\I1O3M56X\PRE[3].EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\DREW REEDY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\I1O3M56X\PRE[4].EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.cln (virus)
C:\WINDOWS\SYSTEM32\OTFUZLUVZCGN\LSASS.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Zlob.afg (virus)
C:\DOCUMENTS AND SETTINGS\DREW REEDY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\SHQF0XAF\L[1].EXE (Renamed & Submitted)
Trojan-Spy.Win32.BZub.eh (virus)
C:\WINDOWS\SYSTEM32\IPV6MONL.DLL (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 32889
System: 5586
Not scanned: 5
Actions:
Disinfected: 1
Renamed: 7
Deleted: 0
None: 29
Submitted: 9
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\DTSCSI.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{373EA1F8-B291-4C20-A37D-DBCA0CCAF150}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-10-06
F-Secure Libra: 2.4.1, 2006-10-06
F-Secure Orion: 1.2.37, 2006-10-06
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-29
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics
  • 0

#14
anxiety

anxiety

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
now the f online scan locks when i click it to start.. Ill keep retrying it might take me a day....
  • 0

#15
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



When F-Secure renames a file it will usually appear like this:

C:\WINDOWS\SYSTEM32\IPV6MONL.0LL



Restart in Safe Mode and Make sure Windows is Showing Hidden Files
http://www.bleepingc...al62.html#winxp


Locate and Delete this folder

C:\WINDOWS\SYSTEM32\OTFUZLUVZCGN

Locate and Delete this file

C:\WINDOWS\SYSTEM32\IPV6MONL.0LL


Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)


Restart Normal and Please run the Bit Defender Online Scan
http://www.bitdefend...m/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it back here along with a fresh HijackThis log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP