Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan

Started by spiritboy3 , Apr 20 2007 03:52 PM

  • Please log in to reply

#1
spiritboy3
Posted 20 April 2007 - 03:52 PM

spiritboy3

    Member

  • Member
  • PipPipPip
  • 136 posts
yo i have been helped for 2 times but the second time didnt seem to heal completely since one day avg detected a virus pls help im feeling keylogged and stuff well hi jackthis log


Logfile of HijackThis v1.99.1
Scan saved at 4:52:05 PM, on 4/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\V-Gear BEE\VBService.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\?ppPatch\??anregw.exe
C:\Documents and Settings\darren\My Documents\New Folder (2)\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3395F233-65A5-3305-A33D-6AE34BE8AECE} - C:\WINDOWS\System32\tfotprvs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Atro] "C:\WINDOWS\System32\YMANTE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Yomc] "C:\Program Files\Common Files\?ppPatch\??anregw.exe"
O4 - Startup: BEE Service.lnk = C:\Program Files\V-Gear BEE\VBService.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netm...NMStarter23.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {18676E16-F847-44C3-85BC-6A5CD9E00A8E} (ZemiLauncher Control) - http://www.dragongem...emiLauncher.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.2.76.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spiritboy3.sp...ad/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148253403894
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.survival....etup/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netm...ce/kdfense8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab47946.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://star.hangame....anSetup1008.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame...utComponent.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload....Plugin10USA.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {F7899FAE-51C9-4EF5-B98C-A64997635235} (GSPRunGame Class) - http://playinfinity..../WindyGSPAx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
  • 0

Advertisements

#2
logreeval
Posted 22 April 2007 - 09:34 PM

logreeval

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,230 posts
Hello and welcome to GeeksToGo!

I am logreeval and will be helping you clean your computer. :whistling:

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

When done post the ComboFix log and a fresh HijackThis log.

logreeval

Edited by logreeval, 22 April 2007 - 09:34 PM.

  • 0

#3
spiritboy3
Posted 23 April 2007 - 04:05 PM

spiritboy3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
combofix txt


"darren" - 07-04-23 16:54:14 Service Pack 1
ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\darren\Desktop\"

/wow section - STAGE #3

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\system32\wnscpsv.exe
C:\WINDOWS\hosts
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\Common Files\PPPATC~1
C:\qoobox\purity\C\WINDOWS\ICROSO~1.NET
C:\qoobox\purity\C\WINDOWS\system32\YMANTE~1
C:\qoobox\purity\C\WINDOWS\system32\YMANTE~1\?ymantec


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\NwSapAgent
-------\LEGACY_CMDSERVICE
-------\LEGACY_NWSAPAGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))


2007-04-14 19:06 60,928 --a------ C:\WINDOWS\system32\tfotprvs.dll
2007-04-14 19:06 2 --a------ C:\WINDOWS\system32\wnscpicomsv32.exe
2007-04-14 19:06 <DIR> d-------- C:\Program Files\Common Files\?ppPatch
2007-04-14 19:04 40,183 ---hs---- C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
2007-03-31 10:57 <DIR> d-------- C:\DOCUME~1\darren\GhostSoul


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-14 22:41 -------- d-------- C:\Program Files\limewire
2007-04-14 19:06 -------- d-------- C:\Program Files\Common Files\?pppatch
2007-02-22 16:02 146944 ---hs---- C:\Program Files\Common Files\yazzle1275oinadmin.exe
2007-02-13 19:46 199455 --a--c--- C:\drsss.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{3395F233-65A5-3305-A33D-6AE34BE8AECE} C:\WINDOWS\System32\tfotprvs.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~2\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Atro"="\"C:\\WINDOWS\\System32\\YMANTE~1\\javaw.exe\" -vt yazb"
"Yomc"="\"C:\\Program Files\\Common Files\\?ppPatch\\??anregw.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~2\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\WINDOWS\System32\ad.html

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0nwprovau\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 16:57:43
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-23 16:57:51
C:\ComboFix-quarantined-files.txt ... 07-04-23 16:57


combo fix quarantined txt

code]
05-11-06 09:16 734 --a------ C:\Qoobox\Quarantine\C\WINDOWS\hosts.vir
06-03-20 11:22 2 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wnscpsv.exe.vir
07-01-12 15:00 18031 --a------ C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Terms.rtf.vir
07-04-23 16:56 1068 --a--c--- C:\Qoobox\Quarantine\Registry_backups\LEGACY_NWSAPAGENT.reg.cf
07-04-23 16:56 3636 --a--c--- C:\Qoobox\Quarantine\Registry_backups\services_NwSapAgent.reg.cf
07-04-23 16:56 840 --a--c--- C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf
07-04-23 16:56 958 --a--c--- C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf


Folder PATH listing for volume d
Volume serial number is 71FAE346 58FC:F290
C:\QOOBOX
+---purity
| \---C
| +---Program Files
| | \---Common Files
| | \---PPPATC~1
| \---WINDOWS
| +---ICROSO~1.NET
| \---system32
| \---YMANTE~1
| \---?ymantec
\---Quarantine
+---C
| +---Program Files
| | \---Outerinfo
| | Terms.rtf.vir
| |
| \---WINDOWS
| | hosts.vir
| |
| \---system32
| wnscpsv.exe.vir
|
\---Registry_backups
LEGACY_CMDSERVICE.reg.cf
LEGACY_NWSAPAGENT.reg.cf
LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf
services_NwSapAgent.reg.cf

[/code]


hijack log

Logfile of HijackThis v1.99.1
Scan saved at 5:04:18 PM, on 4/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\?ppPatch\??anregw.exe
C:\Program Files\V-Gear BEE\VBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\darren\My Documents\New Folder (2)\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3395F233-65A5-3305-A33D-6AE34BE8AECE} - C:\WINDOWS\System32\tfotprvs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Atro] "C:\WINDOWS\System32\YMANTE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Yomc] "C:\Program Files\Common Files\?ppPatch\??anregw.exe"
O4 - Startup: BEE Service.lnk = C:\Program Files\V-Gear BEE\VBService.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netm...NMStarter23.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {18676E16-F847-44C3-85BC-6A5CD9E00A8E} (ZemiLauncher Control) - http://www.dragongem...emiLauncher.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.2.76.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spiritboy3.sp...ad/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148253403894
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.survival....etup/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netm...ce/kdfense8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab47946.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://star.hangame....anSetup1008.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame...utComponent.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload....Plugin10USA.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {F7899FAE-51C9-4EF5-B98C-A64997635235} (GSPRunGame Class) - http://playinfinity..../WindyGSPAx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe


hey thanks for the advice but y i got my internet explorer icon back weirdd..... i dunno if the virus made it or what imma try it
  • 0

#4
logreeval
Posted 23 April 2007 - 07:23 PM

logreeval

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,230 posts
Hi

What do you mean by got your internet explorer icon back?

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {3395F233-65A5-3305-A33D-6AE34BE8AECE} - C:\WINDOWS\System32\tfotprvs.dll
O4 - HKCU\..\Run: [Atro] "C:\WINDOWS\System32\YMANTE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Yomc] "C:\Program Files\Common Files\?ppPatch\??anregw.exe"

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Files/Folders (if present):

C:\Program Files\Common Files\PppPatch
C:\WINDOWS\System32\YMANTE <== Starts with YMANTE

C:\Program Files\Common Files\yazzle1275oinadmin.exe

After that, Reboot.

==========

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
==========

When done post the SUPERAntispyware log and a fresh HijackThis log.

logreeval
  • 0

#5
spiritboy3
Posted 26 April 2007 - 08:04 PM

spiritboy3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
well i want to ask if that SUper antivirus can be uninstall after the scan i restart then it load rreally slow then i restart and it was slow but then i wait and it loaded kinda for a few minute tell me if i can uninstall or the slow load is normal thanks and i found a file when searching for YMANTE start with a S ok result log


HIJACKTHIS LOG:


Logfile of HijackThis v1.99.1
Scan saved at 8:59:37 PM, on 4/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\V-Gear BEE\VBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\darren\My Documents\New Folder (2)\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: BEE Service.lnk = C:\Program Files\V-Gear BEE\VBService.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netm...NMStarter23.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {18676E16-F847-44C3-85BC-6A5CD9E00A8E} (ZemiLauncher Control) - http://www.dragongem...emiLauncher.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.2.76.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spiritboy3.sp...ad/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148253403894
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.survival....etup/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netm...ce/kdfense8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab47946.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://star.hangame....anSetup1008.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame...utComponent.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload....Plugin10USA.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {F7899FAE-51C9-4EF5-B98C-A64997635235} (GSPRunGame Class) - http://playinfinity..../WindyGSPAx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe


superantispyware log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2007 at 08:40 PM

Application Version : 3.7.1018

Core Rules Database Version : 3225
Trace Rules Database Version: 1236

Scan type : Complete Scan
Total Scan Time : 01:11:10

Memory items scanned : 364
Memory threats detected : 0
Registry items scanned : 4700
Registry threats detected : 90
File items scanned : 25876
File threats detected : 84

Trojan.ZQuest
HKLM\Software\Classes\CLSID\{00000000-0000-0000-0000-000000000010}
HKCR\CLSID\{00000000-0000-0000-0000-000000000010}
HKCR\CLSID\{00000000-0000-0000-0000-000000000010}
HKCR\CLSID\{00000000-0000-0000-0000-000000000010}\InProcServer32
HKCR\CLSID\{00000000-0000-0000-0000-000000000010}\InProcServer32#ThreadingModel
C:\WINDOWS\DH.DLL

Adware.MyWebSearch
HKLM\Software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\Programmable
C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
HKLM\Software\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\Programmable
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\TypeLib
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL

Browser Hijacker.Passivecow
HKLM\Software\Classes\CLSID\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}
HKCR\CLSID\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}
HKCR\CLSID\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}
HKCR\CLSID\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}\Implemented Categories
HKCR\CLSID\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKCR\CLSID\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}\InprocServer32
HKCR\CLSID\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}\InprocServer32#ThreadingModel
HKCR\CLSID\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}\ProgID
HKCR\CLSID\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}\Programmable
HKCR\CLSID\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}\TypeLib
HKCR\CLSID\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}\VERSION
C:\WINDOWS\SYSTEM32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.DLL

Browser Hijacker.Internet Explorer Zone Hijack
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta#https

Adware.Unknown Origin
C:\WINDOWS\SYSTEM32\AD.HTML
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#Source
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#SubscribedURL
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#FriendlyName
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#Flags
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#Position
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#CurrentState
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#OriginalStateInfo
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#RestoredStateInfo

Adware.Tracking Cookie
C:\Documents and Settings\darren\Cookies\darren@tacoda[2].txt
C:\Documents and Settings\darren\Cookies\darren@2o7[1].txt
C:\Documents and Settings\darren\Cookies\darren@html[1].txt
C:\Documents and Settings\darren\Cookies\darren@adrevolver[1].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\darren@trafficmp[1].txt
C:\Documents and Settings\darren\Cookies\darren@doubleclick[1].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\darren@fastclick[2].txt
C:\Documents and Settings\darren\Cookies\darren@hitbox[2].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\darren@realmedia[1].txt
C:\Documents and Settings\darren\Cookies\[email protected][1].txt
C:\Documents and Settings\darren\Cookies\darren@xiti[1].txt
C:\Documents and Settings\darren\Cookies\darren@dealtime[1].txt
C:\Documents and Settings\darren\Cookies\[email protected][1].txt
C:\Documents and Settings\darren\Cookies\[email protected][1].txt
C:\Documents and Settings\darren\Cookies\darren@mediaplex[2].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\darren@1071868927[1].txt
C:\Documents and Settings\darren\Cookies\[email protected][1].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\darren@adlegend[1].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\darren@cgi-bin[2].txt
C:\Documents and Settings\darren\Cookies\darren@statcounter[2].txt
C:\Documents and Settings\darren\Cookies\[email protected][1].txt
C:\Documents and Settings\darren\Cookies\darren@serving-sys[2].txt
C:\Documents and Settings\darren\Cookies\darren@advertising[1].txt
C:\Documents and Settings\darren\Cookies\darren@adrevolver[2].txt
C:\Documents and Settings\darren\Cookies\[email protected][1].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\darren@questionmarket[1].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\darren@tribalfusion[1].txt
C:\Documents and Settings\darren\Cookies\darren@zedo[1].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\[email protected][1].txt
C:\Documents and Settings\darren\Cookies\darren@atdmt[2].txt
C:\Documents and Settings\darren\Cookies\[email protected][1].txt
C:\Documents and Settings\darren\Cookies\[email protected][1].txt
C:\Documents and Settings\darren\Cookies\darren@ctxtad[1].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\darren@revsci[2].txt
C:\Documents and Settings\darren\Cookies\darren@adtech[2].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt
C:\Documents and Settings\darren\Cookies\darren@specificclick[1].txt
C:\Documents and Settings\darren\Cookies\[email protected][2].txt

Registry Cleaner Trial
HKCR\CLSID\{205FF73B-CA67-11D5-99DD-444553540013}
HKCR\CLSID\{205FF73B-CA67-11D5-99DD-444553540013}\Implemented Categories
HKCR\CLSID\{205FF73B-CA67-11D5-99DD-444553540013}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{205FF73B-CA67-11D5-99DD-444553540013}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\SoftwareOnline.com

Adware.Mirar/NetNucleus
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid32
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib#Version
HKCR\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}
HKCR\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\ProxyStubClsid
HKCR\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\ProxyStubClsid32
HKCR\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\TypeLib
HKCR\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\TypeLib#Version
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib#Version
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib#Version
C:\DOCUMENTS AND SETTINGS\DARREN\DOCTORWEB\QUARANTINE\MIRAR.EXE

Trojan.Malware
C:\asdf.txt

Adware.IEPlugin
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\dsktb
HKCR\Remove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Toolbar - Intelligent Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Toolbar - Intelligent Explorer#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Toolbar - Intelligent Explorer#UninstallString
C:\WINDOWS\isp.ico
C:\DOCUMENTS AND SETTINGS\DARREN\DOCTORWEB\QUARANTINE\IEUNST.EXE

Trojan.WinBo32/Enhance
HKU\S-1-5-21-1708537768-688789844-1060284298-1003\Software\System\sysuid

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayIcon
C:\Documents and Settings\darren\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\darren\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\darren\Start Menu\Programs\Outerinfo

Trojan.Unknown Origin
C:\!KILLBOX\EEEDO.EXE
C:\!KILLBOX\ELOS.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSCPSV.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{31813D1B-398A-489D-A925-93DDC02C06CF}\RP387\A0173805.EXE
C:\WINDOWS\SYSTEM32\WNSCPICOMSV32.EXE
C:\WINDOWS\TEMPF.TXT
C:\WINDOWS\UNINST2.HTM
C:\WINDOWS\UNIST1.HTM

Adware.webHancer
C:\!KILLBOX\WHCC-GIANT.EXE

Trojan.Downloader-PMTLauncher
C:\DOCUMENTS AND SETTINGS\DARREN\DOCTORWEB\QUARANTINE\CV3WANV28.EXE

Adware.NicTech Networks
C:\DOCUMENTS AND SETTINGS\DARREN\DOCTORWEB\QUARANTINE\E8JM0I11E8.DLL
C:\DOCUMENTS AND SETTINGS\DARREN\DOCTORWEB\QUARANTINE\SUSINV.DLL

Adware.WebNexus
C:\DOCUMENTS AND SETTINGS\DARREN\DOCTORWEB\QUARANTINE\GETNEXUS.EXE

Trojan.NewDotNet
C:\DOCUMENTS AND SETTINGS\DARREN\DOCTORWEB\QUARANTINE\NDNUNINSTALL7_22.EXE

Unclassified.Unknown Origin
C:\DOCUMENTS AND SETTINGS\DARREN\DOCTORWEB\QUARANTINE\W9SEQ.DLL
C:\DOCUMENTS AND SETTINGS\DARREN\MY DOCUMENTS\NEW FOLDER (2)\BACKUPS\BACKUP-20070424-165952-252.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{31813D1B-398A-489D-A925-93DDC02C06CF}\RP388\A0173851.DLL

Adware.BookedSpace
C:\DOCUMENTS AND SETTINGS\DARREN\DOCTORWEB\QUARANTINE\WNQFQEFL.DLL

Adware.ClickSpring
C:\Program Files\Common Files\PPPATC~1\ANREGW~1.EXE

Trojan.LoadAdV64
C:\WINDOWS\SYSTEM32\LOADADV64

Adware.SurfSideKick
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\COMMON FILES\VCCLIENT\VCMAIN.EXE
  • 0

#6
logreeval
Posted 26 April 2007 - 10:02 PM

logreeval

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,230 posts
You can uninstall the program.

How is the computer running?

logreeval
  • 0

#7
spiritboy3
Posted 27 April 2007 - 04:02 PM

spiritboy3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
hey well ty for the instruction and stuff, my comp i guess its working good,well ty very much geekstogo rocks well if its finish then just tell me if not then keep going on i guess....

TY VERY MUCH
  • 0

#8
logreeval
Posted 27 April 2007 - 08:17 PM

logreeval

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,230 posts
Congratulations! You are clean :blink:

Now that you are clean of all malware, there are a few steps I need you to complete:

I need you to re-hide files/folders, to do this:
  • Click Start.
  • Click My Computer.
  • Open the Tools menu and click Folder Options.
  • Click the View tab.
  • Under the Hidden files and folders heading UNCHECK Show hidden files and folders.
  • Now, CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Defrag your Hard Drive, to do this:
  • Click Start>> Run>> Type Compmgmt.msc.
  • Click Disk Defragmenter.
  • Click the volume that you want to defragment(Usually C:) and then click Defragment.
Now, you need to clear your restore points. Here is a tutorial on how-to.

The following are some tips to prevent future infection:

Anti-Spyware Scanners are important to have, I recommend you scan at least once every 2 weeks:
AVG Antispyware
A-Squared Antispyware

Real Time Anti-Spyware Programs protect you in Real-Time, not just scan after you infected, they are nice to have to prevent infections:
SpywareGuard
SpywareBlaster
SpywareTerminator

Internet Explorer is not the most secure browser available. I recommend using one of these browsers:
Firefox
Opera
*NOTE*If you keep Internet Explorer, here is a link to tighten up the security of Internet Explorer.

It is important to clear out temporary files, many types of malware hide in the temp, here are some programs to clear out the temp folders:
CCleaner
ATF Cleaner

Windows Update is a very important thing to do. It contains critical security patches for Internet Explorer and Windows.

If you want to read a little bit, you can check this out - Must Read Info!

Congratulations and happy surfing! :whistling:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP