Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

WinAntiVirusPro and other pop-up problems, with Firefox and IE

Started by nbeachbum222 , Oct 29 2006 11:40 AM

This topic is locked

#1
nbeachbum222

Posted 29 October 2006 - 11:40 AM

Member

Member
18 posts

WinAntiVirusPro keeps giving me pop-ups, as well as other random pop-ups (some have to do with adult sites, others are just random). Also a general slowing in computer's performance. I get pop-ups when I am using Firefox and they'll come up in Firefox. But sometimes they'll come up in an Internet Explorer box which is strange. I have ran many Removal programs including XoftSpy, Ad-Aware, Spyware Doctor, Spybot, and Ewido. I have also ran VundoFix. I don't know if i should post a HiJack This log, but here it is any way:

Logfile of HijackThis v1.99.1
Scan saved at 9:36:45 AM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\AOL\1135364079\ee\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\Sayer Kanakriyeh\My Documents\My Downloads\VundoFix.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Documents and Settings\Sayer Kanakriyeh\My Documents\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay10...ex/HMAtchmt.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#2
Flrman1

Posted 29 October 2006 - 12:27 PM

Malware Assassin

Retired Staff
6,596 posts

Hi nbeachbum222

Welcome to GTG! :whistling:

* Click here to download VundoFix.exe and save it to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis, the results from ActiveScan and the contents of the C:\vundofix.txt file.

#3
nbeachbum222

Posted 29 October 2006 - 04:50 PM

Member

Topic Starter
Member
18 posts

When I opened VundoFix I did not recieve an option to check a box saying "Run VundoFix as a task." It went straight to the "Scan for Vundo" step, so I just did that. I ran VundoFix multiple times and it did removes some items. But there were two that were unremovable even after reboot multiple times. C:\WINDOWS\system32\winuqw3.dll & C:\WINDOWS\system32\jkhfc.dll. I tried to remove them manually, but a notice appeared saying that the could not be removed because another program or person was using them. Here is the VundoFix log, ActiveScan, and HiJack This:

VundoFix

VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 10:31:31 PM 10/27/2006

Listing files found while scanning....

C:\WINDOWS\system32\ifqyccm.dll
C:\WINDOWS\system32\isnrwye.dll
C:\WINDOWS\system32\krlqwun.dll
C:\WINDOWS\system32\pmnkkkk.dll
C:\WINDOWS\system32\ttvfkcxq.dll
C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\yjfxgfbo.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ifqyccm.dll
C:\WINDOWS\system32\ifqyccm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\isnrwye.dll
C:\WINDOWS\system32\isnrwye.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\krlqwun.dll
C:\WINDOWS\system32\krlqwun.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnkkkk.dll
C:\WINDOWS\system32\pmnkkkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttvfkcxq.dll
C:\WINDOWS\system32\ttvfkcxq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yjfxgfbo.dll
C:\WINDOWS\system32\yjfxgfbo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 9:28:03 AM 10/29/2006

Listing files found while scanning....

C:\WINDOWS\system32\swhmpkia.dll
C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\swhmpkia.dll
C:\WINDOWS\system32\swhmpkia.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 10:11:19 AM 10/29/2006

Listing files found while scanning....

C:\WINDOWS\system32\swhmpkia.dll
C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\efhkj.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\swhmpkia.dll
C:\WINDOWS\system32\swhmpkia.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 10:34:33 AM 10/29/2006

Listing files found while scanning....

C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\efhkj.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

ActiveScan

Incident Status Location

Virus:Trj/DNSChanger.NF Disinfected Operating system
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\zutn5ed5.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.winantivirus.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[www.winantivirus.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.go.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Application Data\Mozilla\Firefox\Profiles\casdaykx.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Cookies\sayer kanakriyeh@2o7[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Cookies\sayer kanakriyeh@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Cookies\sayer kanakriyeh@atwola[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Cookies\sayer_kanakriyeh@mediaplex[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Cookies\sayer_kanakriyeh@winantivirus[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\Cookies\[email protected][1].txt
Virus:Trj/DNSChanger.MN Disinfected C:\Documents and Settings\Sayer Kanakriyeh\Local Settings\Temporary Internet Files\Content.IE5\498ZUFW3\L2[1].exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\My Documents\Desktop Stuff\VundoFix\VundoFix\process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\My Documents\Desktop Stuff\VundoFix.exe[process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sayer Kanakriyeh\My Documents\My Downloads\VirtumundoBeGone.exe[²ƒÇ]
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{340F3D26-0BB0-1033-1028-050520050001}\Activate.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{340F3D26-0BB0-1033-1028-050520050001}\MyToolBar.dll
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{340F3D26-0BB0-1033-1028-050520050001}\Uninst.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{B40F3D26-0BB0-1033-1028-050520050001}\services.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\VSToolbar\VSToolBar.dll
Possible Virus. Not disinfected C:\Program Files\?racle\netdde.exe
Possible Virus. Not disinfected C:\VundoFix Backups\jkhfe.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\pmnkkkk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\swhmpkia.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ttvfkcxq.dll.bad
Virus:Trj/DNSChanger.NF Disinfected C:\VundoFix Backups\winuqw32.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\yjfxgfbo.dll.bad
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\components\flx7.dll
Adware:Adware/PornMagPass Not disinfected C:\WINDOWS\system32\ismini.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\jkhfe.dll.vir
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\rhgeqaev.exe
Virus:Trj/DNSChanger.NF Disinfected C:\WINDOWS\system32\winuqw32.dll

HiJack This

Logfile of HijackThis v1.99.1
Scan saved at 2:47:55 PM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\Sayer Kanakriyeh\Desktop\VundoFix.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Sayer Kanakriyeh\My Documents\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Sayer Kanakriyeh\Desktop\vundofix.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay10...ex/HMAtchmt.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4
Flrman1

Posted 29 October 2006 - 05:12 PM

Malware Assassin

Retired Staff
6,596 posts

* Go to Add/Remove programs and uninstall the following:

Anything you see with "OIN" or "by OIN" in the name. It could be something like "Yazzle by OIN". It could even be simply the word "OIN" alone. Look carefully.
Also uninstall "VSToolbar for Internet Explorer" or anything you see with "VSToolbar" in the name.

* Click here to download OiUninstaller.exe and save it to your desktop.

Click on the OiUninstaller.exe then follow the prompts from there.

1. Click here to download The Avenger by Swandog46 and save it to your desktop.

Right click on Avenger.zip and choose "Extract All" extract the avenger.exe file.
Extract it to your desktop

2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C) or right clicking it and choosing "Copy":

Files to delete:
C:\WINDOWS\system32\swhmpkia.dll
C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\components\flx7.dll
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\rhgeqaev.exe

Folders to delete:
C:\Program Files\Common Files\{340F3D26-0BB0-1033-1028-050520050001}
C:\Program Files\Common Files\{B40F3D26-0BB0-1033-1028-050520050001}
C:\Program Files\VSToolbar

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Come back here to this thread. Copy and paste the contents of c:\avenger.txt into your reply along with a fresh HJT log .

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.

Edited by Flrman1, 29 October 2006 - 05:12 PM.

#5
nbeachbum222

Posted 29 October 2006 - 05:56 PM

Member

Topic Starter
Member
18 posts

I uninstalled the VSToolbar, but i could not find anything with OIN in it. I ran OiUninstaller. I ran Avenger and copy and pasted it like you said. When the black command box appear it said that some files (I cannot remember what they were) could not be found and then the box went away. The notepad opened up for the log file to be opened, but a notice came up saying that avenger.txt could not be found. When I tried to save the uninstall list in HiJack This, i would click "Save List" and the program would just close with no indications of anything. Here is the HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 3:50:37 PM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Sayer Kanakriyeh\My Documents\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay10...ex/HMAtchmt.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6
Flrman1

Posted 29 October 2006 - 08:13 PM

Malware Assassin

Retired Staff
6,596 posts

Please go to Add/Remove programs and uninstall any instances of Hijackthis tht you see. After that, go ahead and delete all Hijack This files or folders you have in your My Documents\My Downloads folder. Now please redownload it like so:

* Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

After redownloading it, try to run the Uninstall Manager like before. Hopefully redownloading it will help the Uninstall Manage work like it should. Here are the directions for the uninstall list again:

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.

Edited by Flrman1, 29 October 2006 - 08:14 PM.

#7
nbeachbum222

Posted 29 October 2006 - 08:38 PM

Member

Topic Starter
Member
18 posts

There was still trouble with saving the Uninstall Manager List. I tried re-installing it many times and the problem persists. Is there something that I should look for on the Uninstall Manager list to delete? I have not been receiving any more of those pop-ups or problems that I was having before though. Here is a new HiJackThis log in case still needed:

Logfile of HijackThis v1.99.1
Scan saved at 6:34:49 PM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\AOL\1135364079\ee\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay10...ex/HMAtchmt.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8
Flrman1

Posted 29 October 2006 - 09:22 PM

Malware Assassin

Retired Staff
6,596 posts

If everything else is ok as you say, the only thing I really wanted to check in add/remove programs is to see if you have any old versions of Java installed. These older versions have unpatched security vulnerabilites that can be exploited by certain types of malware if they are left installed on your system.

* Go to Add/Remove programs uninstall any old versions of Java that are there. The latest version of Java is this:

J2SE Runtime Environment 5.0 Update 9

Do not uninstall that one if it is there.

You may see older versions like these:

Java 2 Runtime Environment Standard Edition v1.3.1_04
J2SE Runtime Environment 5.0 Update 6

Uninstall any old versions that are there.

If you didn't have J2SE Runtime Environment 5.0 Update 9 there, go here and install the latest version.

* If I had you use Killbox to delete any files, go ahead and delete the C:\!Killbox folder then empty the Recycle Bin.

* Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

* Go to Windows update and install all "High Priority Updates".

* Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

Edited by Flrman1, 29 October 2006 - 09:23 PM.

#9
nbeachbum222

Posted 30 October 2006 - 06:39 PM

Member

Topic Starter
Member
18 posts

I did delete the old versions of Java. I thought that the problem was finished, but there are still some pop-ups. The WinAntiVirusPro stuff is gone, but there are dialogue boxes coming up that say stuff like "you have visisted adult sites, click here to scan your system," the only button to click is "OK." They are not the fake diologue boxes that are just in a browser window, they are actual notice windows. I did install Spyware Guard, and Spyware Blaster. I ran some anti-spyware programs: Xoftspy, Ewido, Spyware Doctor, and Spybot. Some of the results came up with some trojan stuff, and some stuff having to do with WinAntiVirusPro, but everything that appeared in the scans were removed with no issues. This is not a new problem, it was occuring while the WinAntiVirusPro stuff was happening.

#10
nbeachbum222

Posted 30 October 2006 - 07:42 PM

Member

Topic Starter
Member
18 posts

Another thing (more details about continuing pop-ups) here is one of the URLs of a pop-up:

http://www.pays2shop...o...:_&etid=722

What happens is first a new tab will open up in Firefox, and then it will say in the address bar something starting with an IP adress:

http://85.12.25.85........(long stuff continuing, that is do not have an example of)

and once that is displayed in the address bar, it will be redirected to an ad like the first one above.

#11
Flrman1

Posted 30 October 2006 - 08:47 PM

Malware Assassin

Retired Staff
6,596 posts

Post a new Hijack This log please.

Also do this:

* Download WinPFind

Right Click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Dont do anything with it yet!

* Click here for info on how to boot to safe mode if you don't already know how.

Reboot into Safe Mode

Doubleclick WinPFind.exe

Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
Click "Start Scan"
It will scan the entire System, so please be patient and let it complete.

Reboot back to Normal Mode!

Go to the WinPFind folder
Locate WinPFind.txt
Attach the WinPFind.txt file to your next post here please. It will be too long to copy and paste.

#12
nbeachbum222

Posted 31 October 2006 - 06:42 PM

Member

Topic Starter
Member
18 posts

I now have a new rogue anti-spyware program sending me advertisements: SystemDoctor 2006. The other pop-ups continue, along with the dialogue boxes about having spyware and stuff like that. Here is a HiJack This log, and the other scan log is attached.

Logfile of HijackThis v1.99.1
Scan saved at 4:38:17 PM, on 10/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay10...ex/HMAtchmt.ocx
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Attached Files

WinPFind.Txt 47.42KB 281 downloads

#13
nbeachbum222

Posted 01 November 2006 - 07:50 PM

Member

Topic Starter
Member
18 posts

A WinAntiVirusPro pop-up did appear again, apparently it wasn't fixed.

#14
Flrman1

Posted 03 November 2006 - 12:22 PM

Malware Assassin

Retired Staff
6,596 posts

I know you have done it before, but I want you to run Vundofix agai.

* Click here to download VundoFix.exe and save it to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

*** Also do this:

* Click here to download the Resolve tool from Sophos (enfalgui.com).

Save it to your desktop.
Doubleclick on the enfalgui.com file to run it.
Click "Accept" to accept the terms and conditions.
Click the "GO" button to begin the scan and removal process.
Your firewall may ask permission for the tool to connect to th internet. Allow it access.
Follow the prompts from there and restart the computer if asked to do so.
When it is finished, it will save a log file to your c drive called resolve.log. Copy and paste that log in your next reply to this thread.

Come back here and post these logs:

A new Hijack This log
Vundofix log (C:\vundofix.txt)
Resolve tool log

Edited by flrman1, 03 November 2006 - 12:23 PM.

#15
nbeachbum222

Posted 03 November 2006 - 05:38 PM

Member

Topic Starter
Member
18 posts

I ran VundoFix, and it deleted some stuff, but there was that same file: C:\WINDOWS\system32\jkhfe.dll, that its said it could not delete. I restarted it several times but it didn't delete it. That file also appears in a SpywareGuard window everytime I start my computer saying that it is trying to change something in Internet Explorer. Here are the logs:

VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 10:31:31 PM 10/27/2006

Listing files found while scanning....

C:\WINDOWS\system32\ifqyccm.dll
C:\WINDOWS\system32\isnrwye.dll
C:\WINDOWS\system32\krlqwun.dll
C:\WINDOWS\system32\pmnkkkk.dll
C:\WINDOWS\system32\ttvfkcxq.dll
C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\yjfxgfbo.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ifqyccm.dll
C:\WINDOWS\system32\ifqyccm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\isnrwye.dll
C:\WINDOWS\system32\isnrwye.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\krlqwun.dll
C:\WINDOWS\system32\krlqwun.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnkkkk.dll
C:\WINDOWS\system32\pmnkkkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttvfkcxq.dll
C:\WINDOWS\system32\ttvfkcxq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yjfxgfbo.dll
C:\WINDOWS\system32\yjfxgfbo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 9:28:03 AM 10/29/2006

Listing files found while scanning....

C:\WINDOWS\system32\swhmpkia.dll
C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\swhmpkia.dll
C:\WINDOWS\system32\swhmpkia.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 10:11:19 AM 10/29/2006

Listing files found while scanning....

C:\WINDOWS\system32\swhmpkia.dll
C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\efhkj.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\swhmpkia.dll
C:\WINDOWS\system32\swhmpkia.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 10:34:33 AM 10/29/2006

Listing files found while scanning....

C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\efhkj.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winuqw32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 2:22:44 PM 11/3/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 2:59:32 PM 11/3/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\efhkj.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com

System disinfection for Troj/Enfal

Data Version 1.01

System scan started at 15:32 on 3 November 2006

Checking for Troj/Enfal-A,Troj/Enfal-B in memory

Checking for files affected by Troj/Enfal-A,Troj/Enfal-B

Scanning C:

Could not scan 01_-_Platinum Glenn Miller (Disc 2)_-_Glenn Miller_-_In The Mood.mp3.mcdb

Checking for registry keys affected by Troj/Enfal-A,Troj/Enfal-B

Reset registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

Checking for Troj/Enfal-A,Troj/Enfal-B in memory

Terminating process Explorer.EXE
Process Explorer.EXE successfully terminated

Process Explorer.EXE restarted

System scan finished at 15:36 on 3 November 2006

Processes found : 1
Processes terminated or disinfected : 1
Registry keys affected : 1
Registry keys changed : 1
Files found : 0
Files deleted : 0

Logfile of HijackThis v1.99.1
Scan saved at 3:37:35 PM, on 11/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Sayer Kanakriyeh\Desktop\vundofix.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay10...ex/HMAtchmt.ocx
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe