Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

They got me....


  • Please log in to reply

#1
rcola313

rcola313

    Member

  • Member
  • PipPip
  • 13 posts
Hi all- long time reader 1st time poster. I'm bogged down with a pretty nasty virus. I used to run avg free edition and it informed me one day that there was a trojan and so it put it in it's vault and all was well. Few days later I uninstalled avg free and got avast home figuring I could then run a boot time scan with avast and get rid of the problem that way. Well after uninstalling avg free of course i had to reboot my computer to complete the uninstall before installing avast and that's when all [bleep] broke loose. Next boot I get to desktop and I've got tons of new icons and pop ups galore, ran spybot and it reported keyloggers so I instinctively lunged for the wireless button on my computer, installed avast and did the boot time scan and it found some 30 or so mailicious files. Right now my computer is running stable but I'm positive I still have parts of it left over as I'm still seeing suspicious processes in task mgr (i.e. two instances of iexplorer.exe, elitepops06.exe). Anyway, I'll post my log and thanks in advance for the advice.

Logfile of HijackThis v1.99.1
Scan saved at 12:28:34 PM, on 10/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\elitepop06.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{A81A8A96-031E-1033-0430-040323040001}\Update.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ryan\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EnGraph QuickTimeKiller] C:\Program Files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [1pop06apelt2] C:\WINDOWS\elitepop06.exe
O4 - HKLM\..\Run: [kbb7c6c3] RUNDLL32.EXE w0038f22.dll,n 0057c6be000000020038f22
O4 - HKLM\..\Run: [ms044655594-147] C:\WINDOWS\ms044655594-147.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [GoldenFTPserver] "C:\Program Files\Golden FTP Server\gftp.exe"
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Community Bar - {7F7B948C-FDD9-4469-9D97-465DA1C57023} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1149127930681
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149747488239
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi rcola313,

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "put file path here"
  • Put a link to this Geeks to Go topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:

    • C:\WINDOWS\elitepop06.exe
  • Click Open.
  • Click Post.
Thank you!

Next,
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Also please post a new HijackThis log, but before running HijackThis please rename HijackThis.exe to something else, such as water.exe or food.exe
  • 0

#3
rcola313

rcola313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Okay heres the combo fix log, I should add that in msconfig I had a few items disabled in startup so for this hjt log I turned em all on. After the usual clean sweep of avg tools computer health seems better but I'm still getting random pop ups from ie and who knows what else is going on in background. Any way heres the logs.

ryan - 06-10-12 13:59:34.25 Service Pack 2
ComboFix 06.10.12 - Running from: "C:\Documents and Settings\ryan\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\adrot-uninst.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Inetget2
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{381A8A96-031E-1033-0430-040323040001}
C:\Program Files\Common Files\{A81A8A96-031E-1033-0430-040323040001}


((((((((((((((((((((((((((((((( Files Created from 2006-09-12 to 2006-10-12 ))))))))))))))))))))))))))))))))))


2006-10-08 15:38 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-07 19:50 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-10-07 19:50 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-10-07 19:50 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-10-07 19:50 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-10-07 19:50 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-10-07 19:50 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-10-07 19:50 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-10-07 19:48 1,233 --a------ C:\WINDOWS\system32\kbb7c6c3.sys
2006-10-07 19:47 50,976 --a------ C:\WINDOWS\elitepop06.exe
2006-10-07 19:47 433,632 --a------ C:\WINDOWS\hancerdoem.exe
2006-10-07 19:47 217,840 --a------ C:\WINDOWS\justin-new.exe
2006-10-07 01:15 40,973 ---hs---- C:\WINDOWS\system32\rqrrqon.dll
2006-10-06 15:38 111,262 --a------ C:\WINDOWS\system32\justin.exe
2006-10-06 13:15 97,433 --a------ C:\WINDOWS\system32\traffic_solution_new.exe
2006-09-28 18:24 75,264 --a------ C:\WINDOWS\system32\nswA.dll
2006-09-25 14:59 15,440 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-09-23 13:00 28,672 --a------ C:\WINDOWS\system32\regclass.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-12 14:01 -------- d-------- C:\Program Files\Common Files
2006-10-12 13:51 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-11 23:42 -------- d-------- C:\Program Files\HyperLobbyPro3
2006-10-11 23:31 -------- d-------- C:\Program Files\Steam
2006-10-11 21:42 -------- d-------- C:\Documents and Settings\ryan\Application Data\Hamachi
2006-10-10 11:57 -------- d-------- C:\Program Files\PeerGuardian2
2006-10-10 11:57 -------- d-------- C:\Documents and Settings\ryan\Application Data\uTorrent
2006-10-09 11:55 -------- d-------- C:\Program Files\THQ
2006-10-08 18:59 124 --a------ C:\Documents and Settings\ryan\Application Data\iScrobbler.ini
2006-10-08 15:38 -------- d-------- C:\Program Files\Grisoft
2006-10-08 15:14 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-10-08 15:04 -------- d-------- C:\Documents and Settings\ryan\Application Data\TrojanHunter
2006-10-08 14:50 -------- d-------- C:\Program Files\LogMeIn
2006-10-08 14:30 -------- d-------- C:\Program Files\CleanUp!
2006-10-08 11:48 -------- d-------- C:\Program Files\Zone Labs
2006-10-08 11:45 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-10-07 19:50 -------- d-------- C:\Program Files\Alwil Software
2006-10-07 19:47 -------- d-------- C:\Program Files\em
2006-10-07 19:43 -------- d---s---- C:\Documents and Settings\ryan\Application Data\Microsoft
2006-10-04 22:41 223128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2006-10-04 22:36 611064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-10-04 22:34 -------- d-------- C:\Program Files\The FilmMachine
2006-10-04 22:33 -------- d-------- C:\Program Files\Common Files\Totem Shared
2006-10-04 22:32 -------- d-------- C:\Program Files\Yahoo!
2006-10-04 22:32 -------- d-------- C:\Program Files\TuneXP
2006-10-04 22:32 -------- d-------- C:\Program Files\Teen Spirit
2006-10-04 22:31 -------- d-------- C:\Program Files\SnapStream Media
2006-10-04 22:30 -------- d-------- C:\Program Files\Golden FTP Server
2006-10-03 23:08 -------- d-------- C:\Program Files\ATI Multimedia
2006-10-02 16:12 -------- d-------- C:\Program Files\InstallShield Installation Information
2006-10-02 14:27 10 --a------ C:\WINDOWS\system32\drivers\tmbi.sys
2006-10-01 23:51 -------- d-------- C:\Program Files\Azureus
2006-10-01 20:35 -------- d-------- C:\Program Files\Morpheus
2006-10-01 20:31 -------- d-------- C:\Documents and Settings\ryan\Application Data\Azureus
2006-10-01 20:11 720896 --a------ C:\WINDOWS\iun6002.exe
2006-10-01 19:52 -------- d-------- C:\Program Files\CCleaner
2006-09-29 13:48 -------- d-------- C:\Program Files\EA SPORTS
2006-09-28 21:56 -------- d-------- C:\Program Files\iTunes
2006-09-28 21:56 -------- d-------- C:\Program Files\iPod
2006-09-28 21:55 -------- d-------- C:\Program Files\QuickTime
2006-09-28 21:54 -------- d-------- C:\Program Files\Apple Software Update
2006-09-28 12:57 -------- d-------- C:\Program Files\Electronic Arts
2006-09-25 14:59 -------- d-------- C:\Program Files\Hamachi
2006-09-23 13:00 -------- d-------- C:\Program Files\FirefoxPreloader
2006-09-22 15:00 -------- d-------- C:\Program Files\BoontyGames
2006-09-22 14:48 -------- d-------- C:\Program Files\My Downloaded Games
2006-09-20 22:49 -------- d-------- C:\Program Files\UberQuickPF
2006-09-20 22:47 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-09-20 22:47 249856 --------- C:\WINDOWS\Setup1.exe
2006-09-19 23:33 -------- d-------- C:\Program Files\WarRock
2006-09-19 15:32 -------- d-------- C:\Program Files\Raxco
2006-09-19 15:32 -------- d-------- C:\Program Files\Common Files\Raxco
2006-09-18 16:14 -------- d-------- C:\Program Files\EA GAMES
2006-09-18 15:02 -------- d-------- C:\Program Files\EnsignGames
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 21:41 -------- d-------- C:\Documents and Settings\ryan\Application Data\Avant Browser
2006-09-12 21:39 -------- d-------- C:\Program Files\ESPN
2006-09-12 21:32 -------- d-------- C:\Program Files\iArt
2006-09-12 13:51 -------- d-------- C:\Documents and Settings\ryan\Application Data\teamspeak2
2006-09-12 12:57 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-10 23:16 -------- d-------- C:\Program Files\Microsoft Community Bar
2006-09-08 14:33 -------- d-------- C:\Program Files\Vstplugins
2006-09-08 14:33 -------- d-------- C:\Program Files\Image-Line
2006-09-06 17:42 -------- d-------- C:\Program Files\Microsoft
2006-09-06 17:16 -------- d-------- C:\Program Files\Microsoft Virtual PC
2006-09-06 00:28 -------- d-------- C:\Program Files\Music Alarm Clock
2006-09-05 19:17 -------- d-------- C:\Program Files\Aldo's Pianito
2006-09-05 19:03 -------- d-------- C:\Documents and Settings\ryan\Application Data\NetMedia Providers
2006-09-05 18:44 -------- d-------- C:\Documents and Settings\ryan\Application Data\REAPER
2006-09-01 16:44 -------- d-------- C:\Program Files\AIM
2006-09-01 16:43 -------- d-------- C:\Program Files\AOD
2006-09-01 14:14 -------- d-------- C:\Program Files\Acoustica Beatcraft
2006-09-01 14:13 -------- d-------- C:\Program Files\Acoustica Shared Effects
2006-08-30 18:52 -------- d-------- C:\Documents and Settings\ryan\Application Data\Sony
2006-08-30 18:22 -------- d-------- C:\Documents and Settings\ryan\Application Data\Publish Providers
2006-08-30 18:20 -------- d-------- C:\Program Files\Sony
2006-08-29 21:09 -------- d-------- C:\Program Files\REAPER
2006-08-28 21:48 -------- d-------- C:\Program Files\AWS
2006-08-28 21:44 -------- d-------- C:\Program Files\Common Files\AOL
2006-08-28 14:40 -------- d-------- C:\Program Files\Ratajik Software
2006-08-26 18:46 -------- d-------- C:\Documents and Settings\ryan\Application Data\Aim
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 12:17 -------- d-------- C:\Program Files\SurfOffline
2006-08-22 17:15 -------- d-------- C:\Program Files\CopyPod
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 04:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-17 15:35 -------- d-------- C:\Program Files\Windows Media Player
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-16 04:37 225664 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2006-08-15 22:39 -------- d-------- C:\Program Files\EndItAll
2006-08-15 18:59 -------- d-------- C:\Program Files\AviSynth 2.5
2006-08-14 05:34 332928 --a------ C:\WINDOWS\system32\drivers\srv.sys
2006-08-11 17:04 9576 --a------ C:\WINDOWS\system32\LMImirr2.dll
2006-08-11 17:04 23016 --a------ C:\WINDOWS\system32\LMImirr.dll
2006-08-11 17:04 13032 --a------ C:\WINDOWS\system32\LMIport.dll
2006-08-11 17:04 11496 --a------ C:\WINDOWS\system32\LMIinit.dll
2006-08-01 16:48 7920 --a------ C:\WINDOWS\system32\ractrlkeyhook.dll
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 13:29 4 --a------ C:\WINDOWS\info147.sys
2006-07-14 14:51 108144 --a------ C:\WINDOWS\system32\GEARAspi.dll
2006-07-10 01:35 870 --a------ C:\Documents and Settings\ryan\Application Data\AdobeDLM.log
2006-07-10 01:35 0 --a------ C:\Documents and Settings\ryan\Application Data\dm.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"GoldenFTPserver"="\"C:\\Program Files\\Golden FTP Server\\gftp.exe\""
"Steam"=""
"Aim6"=""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"EnGraph QuickTimeKiller"="C:\\Program Files\\EnGraph\\QuickTimeKiller\\QuickTimeKiller.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"LogMeIn GUI"="\"C:\\Program Files\\LogMeIn\\LogMeInSystray.exe\""
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"1pop06apelt2"="C:\\WINDOWS\\elitepop06.exe"
"kbb7c6c3"="RUNDLL32.EXE w0038f22.dll,n 0057c6be000000020038f22"
"ms044655594-147"="C:\\WINDOWS\\ms044655594-147.exe"
"avast!"="\"C:\\Program Files\\Alwil Software\\Avast4\\ashDisp.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,a2,01,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjjq32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-10-12 14:02:40.93
ComboFix.txt



\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


And the new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 2:10:43 PM, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\elitepop06.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ryan\Desktop\joob.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\trbvxcqv.dll (file missing)
O2 - BHO: (no name) - {C522F601-5E60-4543-9E53-617D55F4D6C5} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EnGraph QuickTimeKiller] C:\Program Files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [1pop06apelt2] C:\WINDOWS\elitepop06.exe
O4 - HKLM\..\Run: [kbb7c6c3] RUNDLL32.EXE w0038f22.dll,n 0057c6be000000020038f22
O4 - HKLM\..\Run: [ms044655594-147] C:\WINDOWS\ms044655594-147.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [GoldenFTPserver] "C:\Program Files\Golden FTP Server\gftp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Community Bar - {7F7B948C-FDD9-4469-9D97-465DA1C57023} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1149127930681
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149747488239
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



And there ya have it, let me know if you need anything else done.
  • 0

#4
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Before we start removing, I will need one more log.

Create a Startup List
  • Please boot into safe mode by tapping the F8 key just before Windows starts to load.
  • Once in safe mode, open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Put a check to the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and paste the StartupList from the notepad into your next post. (it will be saved in the same folder with HijackThis)

  • 0

#5
rcola313

rcola313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
First safemode post ever- thanks again for your time.



StartupList report, 10/14/2006, 12:14:00 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ryan\Desktop\joob.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5346.0005)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\ryan\Desktop\joob.exe
C:\Program Files\Mozilla Firefox\firefox.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apoint = C:\Program Files\Apoint2K\Apoint.exe
AGRSMMSG = AGRSMMSG.exe
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe
eabconfg.cpl = C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
EnGraph QuickTimeKiller = C:\Program Files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
LogMeIn GUI = "C:\Program Files\LogMeIn\LogMeInSystray.exe"
DiskeeperSystray = "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
1pop06apelt2 = C:\WINDOWS\elitepop06.exe
kbb7c6c3 = RUNDLL32.EXE w0038f22.dll,n 0057c6be000000020038f22
ms044655594-147 = C:\WINDOWS\ms044655594-147.exe
avast! = "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
THGuard = "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
Net-Regulator = C:\Program Files\Net-Regulator\netregulator.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
GoldenFTPserver = "C:\Program Files\Golden FTP Server\gftp.exe"
Steam =
Aim6 =
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINDOWS\system32\trbvxcqv.dll (file missing) - {849B9523-785F-4014-9CAF-079FB4A74C61}
(no name) - C:\WINDOWS\system32\pmkji.dll (file missing) - {C522F601-5E60-4543-9E53-617D55F4D6C5}
(no name) - C:\WINDOWS\system32\adrotate.dll (file missing) - {D117A61F-92C3-4450-A0C8-F425B14D4127}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://pcpitstop.com...p/PCPitStop.CAB

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ntent/opuc3.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.micros...b?1149127930681

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.micros...b?1149747488239

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

[Performance Viewer Activex Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RACtrl.dll
CODEBASE = https://secure.logme...trl.cab?lmi=100

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\Program Files\Net-Regulator\nrsp32.dll
Protocol #19: C:\Program Files\Net-Regulator\nrsp32.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,312 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#6
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
That is not the full log I asked for. You forgot to put a check to the two boxes next to the Box that says "Generate StartupList log". Nevertheless, let's start removing and while you're in safe mode applying the below fix, make a new startup list and post it in your next reply. All the logs may not fit into one post, so please make seperate posts for each.

First update AVG Anti-Spyware and do the configuration below.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • 2. Please download Brute Force Uninstaller to your desktop.[list]
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Reboot your computer into SafeMode. You can do this by restarting your computer and tapping the F8 key just before Windows starts to load until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. Choose your usual account.

5. IMPORTANT: Do not open any other windows or programs while AVG Anti-spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of the AVG Anti-Spyware text report that you saved and a new HiJackThis log along with the Startup List.
  • 0

#7
rcola313

rcola313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
updated startuplist log

StartupList report, 10/15/2006, 5:11:56 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ryan\Desktop\joob.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5346.0005)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\ryan\Desktop\joob.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apoint = C:\Program Files\Apoint2K\Apoint.exe
AGRSMMSG = AGRSMMSG.exe
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe
eabconfg.cpl = C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
EnGraph QuickTimeKiller = C:\Program Files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
LogMeIn GUI = "C:\Program Files\LogMeIn\LogMeInSystray.exe"
DiskeeperSystray = "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
1pop06apelt2 = C:\WINDOWS\elitepop06.exe
kbb7c6c3 = RUNDLL32.EXE w0038f22.dll,n 0057c6be000000020038f22
ms044655594-147 = C:\WINDOWS\ms044655594-147.exe
avast! = "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
THGuard = "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
Net-Regulator = C:\Program Files\Net-Regulator\netregulator.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
GoldenFTPserver = "C:\Program Files\Golden FTP Server\gftp.exe"
Steam =
Aim6 =
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINDOWS\system32\trbvxcqv.dll (file missing) - {849B9523-785F-4014-9CAF-079FB4A74C61}
(no name) - C:\WINDOWS\system32\pmkji.dll (file missing) - {C522F601-5E60-4543-9E53-617D55F4D6C5}
(no name) - C:\WINDOWS\system32\adrotate.dll (file missing) - {D117A61F-92C3-4450-A0C8-F425B14D4127}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://pcpitstop.com...p/PCPitStop.CAB

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ntent/opuc3.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.micros...b?1149127930681

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.micros...b?1149747488239

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

[Performance Viewer Activex Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RACtrl.dll
CODEBASE = https://secure.logme...trl.cab?lmi=100

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\Program Files\Net-Regulator\nrsp32.dll
Protocol #19: C:\Program Files\Net-Regulator\nrsp32.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,265 bytes
Report generated in 0.469 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


UPDATE: I will post a new startup list once I complete all the above directions.

Edited by rcola313, 15 October 2006 - 07:24 PM.

  • 0

#8
rcola313

rcola313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
okay here goes....

new startuplist log

StartupList report, 10/16/2006, 12:16:56 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ryan\Desktop\joob.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5346.0005)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ryan\Desktop\joob.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apoint = C:\Program Files\Apoint2K\Apoint.exe
AGRSMMSG = AGRSMMSG.exe
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe
eabconfg.cpl = C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
EnGraph QuickTimeKiller = C:\Program Files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
LogMeIn GUI = "C:\Program Files\LogMeIn\LogMeInSystray.exe"
DiskeeperSystray = "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
kbb7c6c3 = RUNDLL32.EXE w0038f22.dll,n 0057c6be000000020038f22
ms044655594-147 = C:\WINDOWS\ms044655594-147.exe
avast! = "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
THGuard = "C:\Program Files\TrojanHunter 4.6\THGuard.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
GoldenFTPserver = "C:\Program Files\Golden FTP Server\gftp.exe"
Steam =
Aim6 =
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINDOWS\system32\trbvxcqv.dll (file missing) - {849B9523-785F-4014-9CAF-079FB4A74C61}
(no name) - C:\WINDOWS\system32\pmkji.dll (file missing) - {C522F601-5E60-4543-9E53-617D55F4D6C5}
(no name) - C:\WINDOWS\system32\adrotate.dll (file missing) - {D117A61F-92C3-4450-A0C8-F425B14D4127}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://pcpitstop.com...p/PCPitStop.CAB

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ntent/opuc3.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.micros...b?1149127930681

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.micros...b?1149747488239

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

[Performance Viewer Activex Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RACtrl.dll
CODEBASE = https://secure.logme...trl.cab?lmi=100

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,230 bytes
Report generated in 0.938 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

hjt log

Logfile of HijackThis v1.99.1
Scan saved at 12:19:04 AM, on 10/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ryan\Desktop\joob.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\trbvxcqv.dll (file missing)
O2 - BHO: (no name) - {C522F601-5E60-4543-9E53-617D55F4D6C5} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EnGraph QuickTimeKiller] C:\Program Files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [kbb7c6c3] RUNDLL32.EXE w0038f22.dll,n 0057c6be000000020038f22
O4 - HKLM\..\Run: [ms044655594-147] C:\WINDOWS\ms044655594-147.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [GoldenFTPserver] "C:\Program Files\Golden FTP Server\gftp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Community Bar - {7F7B948C-FDD9-4469-9D97-465DA1C57023} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1149127930681
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149747488239
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O20 - Winlogon Notify: LMIinit - LMIinit.dll (file missing)
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

and the avglog

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:53:10 PM 10/15/2006

+ Scan result:



C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP224\A0078398.dll -> Adware.Aws : Cleaned.
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP224\A0078399.dll -> Adware.Mirar : Cleaned.
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP224\A0078400.exe -> Adware.SaveNow : Cleaned.
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP228\A0079178.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP228\A0079188.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP228\A0079189.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP224\A0078397.dll -> Adware.TrafficSol : Cleaned.
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP224\A0078697.dll -> Adware.TrafficSol : Cleaned.
C:\WINDOWS\system32\rqrrqon.dll -> Adware.Virtumonde : Cleaned.
:mozilla.17:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.24:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.25:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.29:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\ryan\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.40:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.41:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.42:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.43:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.44:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.45:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.336:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.337:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.53:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.54:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.55:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.56:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.57:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.36:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.275:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.146:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.33:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\ryan\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.14:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.15:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.16:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.79:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\ryan\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.261:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.257:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.258:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.259:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.260:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.30:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.31:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.32:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.350:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.103:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.104:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.105:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.106:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.107:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.293:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.294:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.295:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.296:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.297:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.298:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.113:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.64:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.65:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.66:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.67:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.46:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.47:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.48:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.49:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.50:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.51:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.52:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.300:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.119:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.121:C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\83ffkzcx.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\ryan\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\ryan\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP224\A0078396.dll -> Trojan.Agent.vg : Cleaned.
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP224\A0078395.dll -> Trojan.BHO.g : Cleaned.
C:\WINDOWS\elitepop06.exe -> Trojan.VB.atp : Cleaned.
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP224\A0078394.exe -> Trojan.VB.tg : Cleaned.
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP224\A0078393.exe -> Worm.VB.ao : Cleaned.


::Report end

enjoy!
  • 0

#9
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Open HijackThis and click Scan. Put a check next to these:

O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\trbvxcqv.dll (file missing)
O2 - BHO: (no name) - {C522F601-5E60-4543-9E53-617D55F4D6C5} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
O4 - HKLM\..\Run: [kbb7c6c3] RUNDLL32.EXE w0038f22.dll,n 0057c6be000000020038f22
O4 - HKLM\..\Run: [ms044655594-147] C:\WINDOWS\ms044655594-147.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: LMIinit - LMIinit.dll (file missing)
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)

The below is optional, see here: http://www.castlecop...3list-1744.html

O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe


Close all other windows except HijackThis and click Fix Checked.

Download the Hoster Here

Unzip Hoster to your desktop

Open up the Hoster program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
Reboot when done.

Then post:

1) a new HijackThis log
2) a new combofix log
3) the results of the below scan. Please make seperate posts so that the logs don't get cut off.

Please do an online scan with Kaspersky WebScanner. If you have any quarantined items in your antivirus, please delete those archives before the scan.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#10
rcola313

rcola313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
just to be sure before i go ahead, there is no hosts file listed when i ran the new hjt log... should i not worry about that or manually delete the hosts file in windows?

Edited by rcola313, 17 October 2006 - 11:37 AM.

  • 0

Advertisements


#11
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
No don't worry, the Hoster program takes care of that..
  • 0

#12
rcola313

rcola313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
new hjt
*********************

Logfile of HijackThis v1.99.1
Scan saved at 2:33:12 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashAvast.exe
C:\Documents and Settings\ryan\Desktop\joob.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EnGraph QuickTimeKiller] C:\Program Files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [GoldenFTPserver] "C:\Program Files\Golden FTP Server\gftp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Community Bar - {7F7B948C-FDD9-4469-9D97-465DA1C57023} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1149127930681
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149747488239
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#13
rcola313

rcola313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ryan - 06-10-18 14:36:48.37 Service Pack 2
ComboFix 06.10.12 - Running from: "C:\Documents and Settings\ryan\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-18 to 2006-10-18 ))))))))))))))))))))))))))))))))))


2006-10-13 17:47 15 --a------ C:\WINDOWS\comm32nr.dll
2006-10-08 15:38 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-07 19:50 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-10-07 19:50 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-10-07 19:50 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-10-07 19:50 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-10-07 19:50 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-10-07 19:50 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-10-07 19:50 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-10-07 19:48 1,233 --a------ C:\WINDOWS\system32\kbb7c6c3.sys
2006-10-07 19:47 433,632 --a------ C:\WINDOWS\hancerdoem.exe
2006-10-07 19:47 217,840 --a------ C:\WINDOWS\justin-new.exe
2006-10-06 15:38 111,262 --a------ C:\WINDOWS\system32\justin.exe
2006-10-06 13:15 97,433 --a------ C:\WINDOWS\system32\traffic_solution_new.exe
2006-09-28 18:24 75,264 --a------ C:\WINDOWS\system32\nswA.dll
2006-09-25 14:59 15,440 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-09-23 13:00 28,672 --a------ C:\WINDOWS\system32\regclass.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-18 14:31 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-18 14:21 -------- d-------- C:\Program Files\PeerGuardian2
2006-10-18 14:21 -------- d-------- C:\Documents and Settings\ryan\Application Data\uTorrent
2006-10-18 09:57 -------- d-------- C:\Program Files\LogMeIn
2006-10-17 14:54 -------- d-------- C:\Program Files\Steam
2006-10-17 11:52 -------- d-------- C:\Documents and Settings\ryan\Application Data\Hamachi
2006-10-15 17:24 -------- d-------- C:\Program Files\Net-Regulator
2006-10-14 12:35 -------- d-------- C:\Program Files\MSXML 4.0
2006-10-13 19:03 124 --a------ C:\Documents and Settings\ryan\Application Data\iScrobbler.ini
2006-10-13 17:48 -------- d-------- C:\Program Files\Morpheus
2006-10-13 00:57 8048 --a------ C:\WINDOWS\system32\drivers\LMImirr.sys
2006-10-12 21:32 -------- d-------- C:\Documents and Settings\ryan\Application Data\Ahead
2006-10-12 14:01 -------- d-------- C:\Program Files\Common Files
2006-10-11 23:42 -------- d-------- C:\Program Files\HyperLobbyPro3
2006-10-09 11:55 -------- d-------- C:\Program Files\THQ
2006-10-08 15:38 -------- d-------- C:\Program Files\Grisoft
2006-10-08 15:14 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-10-08 15:04 -------- d-------- C:\Documents and Settings\ryan\Application Data\TrojanHunter
2006-10-08 14:30 -------- d-------- C:\Program Files\CleanUp!
2006-10-08 11:48 -------- d-------- C:\Program Files\Zone Labs
2006-10-08 11:45 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-10-07 19:50 -------- d-------- C:\Program Files\Alwil Software
2006-10-07 19:47 -------- d-------- C:\Program Files\em
2006-10-07 19:43 -------- d---s---- C:\Documents and Settings\ryan\Application Data\Microsoft
2006-10-06 20:56 9584 --a------ C:\WINDOWS\system32\LMImirr2.dll
2006-10-06 20:56 23024 --a------ C:\WINDOWS\system32\LMImirr.dll
2006-10-06 20:56 11504 --a------ C:\WINDOWS\system32\LMIinit.dll
2006-10-04 22:41 223128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2006-10-04 22:36 611064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-10-04 22:34 -------- d-------- C:\Program Files\The FilmMachine
2006-10-04 22:33 -------- d-------- C:\Program Files\Common Files\Totem Shared
2006-10-04 22:32 -------- d-------- C:\Program Files\Yahoo!
2006-10-04 22:32 -------- d-------- C:\Program Files\TuneXP
2006-10-04 22:32 -------- d-------- C:\Program Files\Teen Spirit
2006-10-04 22:31 -------- d-------- C:\Program Files\SnapStream Media
2006-10-04 22:30 -------- d-------- C:\Program Files\Golden FTP Server
2006-10-03 23:08 -------- d-------- C:\Program Files\ATI Multimedia
2006-10-02 16:12 -------- d-------- C:\Program Files\InstallShield Installation Information
2006-10-02 14:27 10 --a------ C:\WINDOWS\system32\drivers\tmbi.sys
2006-10-01 23:51 -------- d-------- C:\Program Files\Azureus
2006-10-01 20:31 -------- d-------- C:\Documents and Settings\ryan\Application Data\Azureus
2006-10-01 20:11 720896 --a------ C:\WINDOWS\iun6002.exe
2006-10-01 19:52 -------- d-------- C:\Program Files\CCleaner
2006-09-29 13:48 -------- d-------- C:\Program Files\EA SPORTS
2006-09-28 21:56 -------- d-------- C:\Program Files\iTunes
2006-09-28 21:56 -------- d-------- C:\Program Files\iPod
2006-09-28 21:55 -------- d-------- C:\Program Files\QuickTime
2006-09-28 21:54 -------- d-------- C:\Program Files\Apple Software Update
2006-09-28 12:57 -------- d-------- C:\Program Files\Electronic Arts
2006-09-25 14:59 -------- d-------- C:\Program Files\Hamachi
2006-09-23 13:00 -------- d-------- C:\Program Files\FirefoxPreloader
2006-09-22 15:00 -------- d-------- C:\Program Files\BoontyGames
2006-09-22 14:48 -------- d-------- C:\Program Files\My Downloaded Games
2006-09-20 22:49 -------- d-------- C:\Program Files\UberQuickPF
2006-09-20 22:47 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-09-20 22:47 249856 --------- C:\WINDOWS\Setup1.exe
2006-09-19 23:33 -------- d-------- C:\Program Files\WarRock
2006-09-19 15:32 -------- d-------- C:\Program Files\Raxco
2006-09-19 15:32 -------- d-------- C:\Program Files\Common Files\Raxco
2006-09-18 16:14 -------- d-------- C:\Program Files\EA GAMES
2006-09-18 15:02 -------- d-------- C:\Program Files\EnsignGames
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 21:41 -------- d-------- C:\Documents and Settings\ryan\Application Data\Avant Browser
2006-09-12 21:39 -------- d-------- C:\Program Files\ESPN
2006-09-12 21:32 -------- d-------- C:\Program Files\iArt
2006-09-12 17:51 1245184 --a------ C:\WINDOWS\system32\msxml4.dll
2006-09-12 13:51 -------- d-------- C:\Documents and Settings\ryan\Application Data\teamspeak2
2006-09-12 12:57 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-10 23:16 -------- d-------- C:\Program Files\Microsoft Community Bar
2006-09-08 14:33 -------- d-------- C:\Program Files\Vstplugins
2006-09-08 14:33 -------- d-------- C:\Program Files\Image-Line
2006-09-06 17:42 -------- d-------- C:\Program Files\Microsoft
2006-09-06 17:16 -------- d-------- C:\Program Files\Microsoft Virtual PC
2006-09-06 00:28 -------- d-------- C:\Program Files\Music Alarm Clock
2006-09-05 19:17 -------- d-------- C:\Program Files\Aldo's Pianito
2006-09-05 19:03 -------- d-------- C:\Documents and Settings\ryan\Application Data\NetMedia Providers
2006-09-05 18:44 -------- d-------- C:\Documents and Settings\ryan\Application Data\REAPER
2006-09-01 16:44 -------- d-------- C:\Program Files\AIM
2006-09-01 16:43 -------- d-------- C:\Program Files\AOD
2006-09-01 14:14 -------- d-------- C:\Program Files\Acoustica Beatcraft
2006-09-01 14:13 -------- d-------- C:\Program Files\Acoustica Shared Effects
2006-08-30 18:52 -------- d-------- C:\Documents and Settings\ryan\Application Data\Sony
2006-08-30 18:22 -------- d-------- C:\Documents and Settings\ryan\Application Data\Publish Providers
2006-08-30 18:20 -------- d-------- C:\Program Files\Sony
2006-08-29 21:09 -------- d-------- C:\Program Files\REAPER
2006-08-28 21:48 -------- d-------- C:\Program Files\AWS
2006-08-28 21:44 -------- d-------- C:\Program Files\Common Files\AOL
2006-08-28 14:40 -------- d-------- C:\Program Files\Ratajik Software
2006-08-26 18:46 -------- d-------- C:\Documents and Settings\ryan\Application Data\Aim
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 12:17 -------- d-------- C:\Program Files\SurfOffline
2006-08-22 17:15 -------- d-------- C:\Program Files\CopyPod
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 04:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-11 17:04 13032 --a------ C:\WINDOWS\system32\LMIport.dll
2006-08-01 16:48 7920 --a------ C:\WINDOWS\system32\ractrlkeyhook.dll
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 13:29 4 --a------ C:\WINDOWS\info147.sys
2006-07-10 01:35 870 --a------ C:\Documents and Settings\ryan\Application Data\AdobeDLM.log
2006-07-10 01:35 0 --a------ C:\Documents and Settings\ryan\Application Data\dm.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"GoldenFTPserver"="\"C:\\Program Files\\Golden FTP Server\\gftp.exe\""
"Steam"=""
"Aim6"=""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"EnGraph QuickTimeKiller"="C:\\Program Files\\EnGraph\\QuickTimeKiller\\QuickTimeKiller.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"LogMeIn GUI"="\"C:\\Program Files\\LogMeIn\\LogMeInSystray.exe\""
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"avast!"="\"C:\\Program Files\\Alwil Software\\Avast4\\ashDisp.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,a2,01,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-10-18 14:37:35.84
ComboFix.txt
combofix2.txt
  • 0

#14
rcola313

rcola313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 18, 2006 7:02:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/10/2006
Kaspersky Anti-Virus database records: 232843
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 111561
Number of viruses found: 5
Number of infected objects: 26 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:53:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ryan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ryan\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ryan\Local Settings\History\History.IE5\MSHist012006101820061019\index.dat Object is locked skipped
C:\Documents and Settings\ryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ryan\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\ryan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ryan\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2006-10-18.14-23-49.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe RarSFX: infected - 2 skipped
C:\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-557.bak\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-557.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP231\A0079353.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP231\A0079373.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP231\A0079379.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP232\A0079460.exe Infected: Trojan.Win32.VB.atp skipped
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP232\A0079461.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\System Volume Information\_restore{60203F8D-15D2-47BA-81A9-A53CF359A235}\RP235\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe RarSFX: infected - 4 skipped
C:\WINDOWS\justin-new.exe/data0003/stream/data0001 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\justin-new.exe/data0003/stream Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\justin-new.exe/data0003 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\justin-new.exe NSIS: infected - 3 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\WINDOWS\system32\LMIinit.dll.000.bak Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\WINDOWS\system32\traffic_solution_new.exe/stream/data0001 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\system32\traffic_solution_new.exe/stream Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\system32\traffic_solution_new.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5f4.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_738.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_audioscrobbler.log Object is locked skipped

Scan process completed.
  • 0

#15
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Delete these files and folders in bold. If you have any trouble deleting, try again in safe mode.

C:\WINDOWS\comm32nr.dll
C:\WINDOWS\system32\kbb7c6c3.sys
C:\WINDOWS\hancerdoem.exe
C:\WINDOWS\justin-new.exe
C:\WINDOWS\system32\justin.exe
C:\WINDOWS\system32\traffic_solution_new.exe
C:\WINDOWS\system32\nswA.dll
C:\WINDOWS\system32\drivers\tmbi.sys

C:\Program Files\em
C:\Program Files\Common Files\Totem Shared
C:\Program Files\BoontyGames

Do you have any problems left now?

Edited by Armodeluxe, 19 October 2006 - 06:30 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP