Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help! Malware that keeps reinstalling itself [RESOLVED]


  • This topic is locked This topic is locked

#1
migr

migr

    Member

  • Member
  • PipPip
  • 10 posts
I've gone through the directions that we're all supposed to follow before posting a hijackthis log, but I'm still getting the pop-ups. (Aurora pop-ups.)

The hijackthis log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 12:05:03 AM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\rukmma.exe
E:\WINDOWS\system32\wuauclt.exe
e:\windows\system32\kttrhy.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINDOWS\system32\ctfmon.exe
C:\xProgram Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
D:\Program Files\WinZip\WZQKPICK.EXE
c:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00881019-A41A-E030-23A5-CC488036A8A0} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31884441-006E-77C0-1CB4-82AB6075D282} - E:\Program Files\inscdm\tdnqglqiot.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - E:\WINDOWS\system32\nsp4.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\xProgram Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\WindowsIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0009.exe
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://forums.instit...sie/msichat.cab
O20 - Winlogon Notify: Hints - E:\WINDOWS\system32\odjsel.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - E:\WINDOWS\svcproc.exe


Any help would be greatly appreciated!

Edited by migr, 21 June 2005 - 10:10 PM.

  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello migr and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated, at least one is known for its tenacity; please be patient. Let’s see what we can do with the first sweep in which I will deliberately add on the first part of the second fix in order to save time..

Firstly could you please disable SpySweeper from running during the fix, it may just hinder our attempts to change anything.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
Nail Fix

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

System Startup Service (SvcProc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

SvcProc

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Please open the trial version of Ewido Security Suite, and update the definitions to the latest files. Do NOT run a scan yet.

Please install Nailfix, unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Open Ewido Security Suite.
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The programme will now go to the main screen
  • Click on Start
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the programme scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop and include it in your reply.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00881019-A41A-E030-23A5-CC488036A8A0} - (no file)
O2 - BHO: (no name) - {31884441-006E-77C0-1CB4-82AB6075D282} - E:\Program Files\inscdm\tdnqglqiot.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - E:\WINDOWS\system32\nsp4.dll (file missing)
O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0009.exe
O20 - Winlogon Notify: Hints - E:\WINDOWS\system32\odjsel.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - E:\WINDOWS\svcproc.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

E:\WINDOWS\system32\rukmma.exe
e:\windows\system32\kttrhy.exe
E:\WINDOWS\Nail.exe
E:\WINDOWS\system32\odjsel.dll
E:\WINDOWS\svcproc.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Reboot normally.

Post back a fresh HijackThis log and I will take another look.

Additional part follows since I am fairly certain of the infection:

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


You should be posting back 3 logs: Ewido, HJT and L2M.
  • 0

#3
migr

migr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
It's taken me all day to run these programs; I think that's because my computer is fairly old, and therefore slow. The results:

Ewido Report: (I had to cancel the first run, because it seemed to have gotten stuck, so I'm including the results from both the first (fairly short) and second (very, very long) run.

1.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:52:24 PM, 6/22/2005
+ Report-Checksum: 702B6BFC

+ Date of database: 6/22/2005
+ Version of scan engine: v3.0

+ Duration: 67 min
+ Scanned Files: 32289
+ Speed: 7.95 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\

+ Scan result:
C:\WINDOWS\Cookies\win98@exit.txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

2.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:51:44 PM, 6/22/2005
+ Report-Checksum: 15ED5019

+ Date of database: 6/22/2005
+ Version of scan engine: v3.0

+ Duration: 269 min
+ Scanned Files: 236266
+ Speed: 14.61 Files/Second
+ Infected files: 18
+ Removed files: 15
+ Files put in quarantine: 15
+ Files that could not be opened: 0
+ Files that could not be cleaned: 3

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
D:\
E:\
C:\ palmtemp
C:\$VAULT$.AVG
C:\audiograbber
C:\BODY6
C:\campdocs
C:\copymydocs
C:\Creative
C:\diamonddriverxp1
C:\Documents and Settings
C:\e477b25842f8352db2af542268
C:\FOUND.000
C:\FOUND.001
C:\HijackThis
C:\ichat
C:\KA
C:\KA
C:\Math2000
C:\Media
C:\MemoryMagic
C:\MPS
C:\msdownld.tmp
C:\My Documents
C:\neww98
C:\POP3.CD
C:\Program Files
C:\Recorded Calls
C:\Savage2Kxp2
C:\temp
C:\THINKFST
C:\Training
C:\unzipped
C:\w2003Iso
C:\Win2003Image
C:\WINDOWS
C:\Windows Update Setup Files
C:\WRITEPRO
C:\xProgram Files
C:\3-079-03[1].zip
C:\AVG7QT.DAT
C:\AVG7QT.DAT
C:\avglog.err
C:\BOOTLOG.TXT
C:\BOOTLOG.PRV
C:\CONFIG.SYS
C:\ffastun.ffo
C:\FRUNLOG.TXT
C:\mindmankey.txt
C:\orderlink.txt
C:\PDOXUSRS.NET
C:\pop3.log
C:\SB_usb_log.txt
C:\SCANDISK.LOG
C:\SETUPXLG.TXT
C:\testfile
C:\thinkfastkey.txt
C:\THNKFST.EXE
C:\upd4520.exe
C:\vxsystem.dat
C:\winzip.log
C:\writepro.PIF
C:\WRITEPRO.BAT

+ Scan result:
D:\Documents and Settings\Administrator\Cookies\administrator@3422958[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\Documents and Settings\Administrator\Cookies\administrator@buy.rpts[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\Documents and Settings\Administrator\Cookies\administrator@html[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\Miriam\Local Settings\Temp\Cookies\miriam@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
E:\Documents and Settings\Miriam\Local Settings\Temp\Cookies\miriam@fastclick[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
E:\Documents and Settings\Miriam\Local Settings\Temp\Cookies\miriam@zedo[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
E:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
E:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
E:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace.e -> Cleaned with backup
E:\WINDOWS\Downloaded Program Files\pcs_0016.exe -> Spyware.Pacer.b -> Cleaned with backup
E:\WINDOWS\Downloaded Program Files\website.ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
E:\WINDOWS\shop1004.exe -> Spyware.Sahat.m -> Cleaned with backup
E:\WINDOWS\system32\aoc8soet.exe -> Spyware.SAHA -> Cleaned with backup
E:\WINDOWS\system32\hstceih.exe -> Spyware.BetterInternet -> Cleaned with backup
E:\WINDOWS\system32\nsx10.dll -> Spyware.HotSearchBar -> Cleaned with backup
E:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
E:\WINDOWS\tutwycatmg.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End

Okay, now for the new HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 6:33:47 PM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\rukmma.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Cas\Client\casclient.exe
D:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\cmd.exe
E:\WINDOWS\system32\ntvdm.exe
E:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O4 - HKCU\..\Run: [SpyKiller] E:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CAS Client] "E:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: Zeno.lnk = E:\WINDOWS\system32\ssysrwd8.exe
O4 - Startup: Zstart.lnk = E:\Documents and Settings\Miriam\Local Settings\Temp\zxinst12.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\WindowsIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://forums.instit...sie/msichat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe

And now for the l2m log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{96519E44-CDA3-74A5-79F2-8202545CA35B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{FB982D26-5AEF-4A5B-9F83-1458B0C350E0}"=""
"{7CD61C47-1117-4591-A56B-CB0979D1F74F}"=""
"{E42506FE-2828-4B1E-AEF3-3ED81B3759F3}"=""
"{A48FAD27-0366-4208-A97E-FDCC1AF9468F}"=""
"{A36AA7AC-53BD-47DE-AEED-7C57FC59F676}"=""
"{B807094F-9C1C-4D0D-80DB-0A726D1CEA7B}"=""
"{DDC16DE5-7CB2-46C5-9821-4EFE2047A33A}"=""
"{ECCDC182-06B0-40CE-90B7-85E925C84118}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FB982D26-5AEF-4A5B-9F83-1458B0C350E0}]
@=""
"IDEx"="ST004"

[HKEY_CLASSES_ROOT\CLSID\{FB982D26-5AEF-4A5B-9F83-1458B0C350E0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FB982D26-5AEF-4A5B-9F83-1458B0C350E0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FB982D26-5AEF-4A5B-9F83-1458B0C350E0}\InprocServer32]
@="E:\\WINDOWS\\system32\\apvpack.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7CD61C47-1117-4591-A56B-CB0979D1F74F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7CD61C47-1117-4591-A56B-CB0979D1F74F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7CD61C47-1117-4591-A56B-CB0979D1F74F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7CD61C47-1117-4591-A56B-CB0979D1F74F}\InprocServer32]
@="E:\\WINDOWS\\system32\\ihcvid.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E42506FE-2828-4B1E-AEF3-3ED81B3759F3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E42506FE-2828-4B1E-AEF3-3ED81B3759F3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E42506FE-2828-4B1E-AEF3-3ED81B3759F3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E42506FE-2828-4B1E-AEF3-3ED81B3759F3}\InprocServer32]
@="E:\\WINDOWS\\system32\\dtvvox.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A48FAD27-0366-4208-A97E-FDCC1AF9468F}]
@=""
"IDEx"="ST"

[HKEY_CLASSES_ROOT\CLSID\{A48FAD27-0366-4208-A97E-FDCC1AF9468F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A48FAD27-0366-4208-A97E-FDCC1AF9468F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A48FAD27-0366-4208-A97E-FDCC1AF9468F}\InprocServer32]
@="E:\\WINDOWS\\system32\\rXstls.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A36AA7AC-53BD-47DE-AEED-7C57FC59F676}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A36AA7AC-53BD-47DE-AEED-7C57FC59F676}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A36AA7AC-53BD-47DE-AEED-7C57FC59F676}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A36AA7AC-53BD-47DE-AEED-7C57FC59F676}\InprocServer32]
@="E:\\WINDOWS\\system32\\ifakeng.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B807094F-9C1C-4D0D-80DB-0A726D1CEA7B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B807094F-9C1C-4D0D-80DB-0A726D1CEA7B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B807094F-9C1C-4D0D-80DB-0A726D1CEA7B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B807094F-9C1C-4D0D-80DB-0A726D1CEA7B}\InprocServer32]
@="E:\\WINDOWS\\system32\\ibetcomm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DDC16DE5-7CB2-46C5-9821-4EFE2047A33A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DDC16DE5-7CB2-46C5-9821-4EFE2047A33A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DDC16DE5-7CB2-46C5-9821-4EFE2047A33A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DDC16DE5-7CB2-46C5-9821-4EFE2047A33A}\InprocServer32]
@="E:\\WINDOWS\\system32\\smclogon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ECCDC182-06B0-40CE-90B7-85E925C84118}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ECCDC182-06B0-40CE-90B7-85E925C84118}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ECCDC182-06B0-40CE-90B7-85E925C84118}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ECCDC182-06B0-40CE-90B7-85E925C84118}\InprocServer32]
@="E:\\WINDOWS\\system32\\dxsapi.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

E:\WINDOWS\SYSTEM32\
apvpack.dll Tue Jun 21 2005 2:22:54p ..S.R 417,792 408.00 K
browseui.dll Mon May 2 2005 4:52:34p A.... 1,019,904 996.00 K
cdfview.dll Mon May 2 2005 4:52:34p A.... 151,040 147.50 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
dndim700.dll Tue Jun 21 2005 9:27:08p ..S.R 417,792 408.00 K
dtvvox.dll Tue Jun 21 2005 5:00:28p ..S.R 417,792 408.00 K
dxsapi.dll Wed Jun 22 2005 10:52:16a ..S.R 417,792 408.00 K
ftst30.dll Tue Jun 21 2005 8:56:08p ..S.R 417,792 408.00 K
hhsetup.dll Thu May 26 2005 10:04:28p A.... 41,472 40.50 K
ibetcomm.dll Tue Jun 21 2005 11:16:38p ..S.R 417,792 408.00 K
iepeers.dll Mon May 2 2005 4:52:34p A.... 250,880 245.00 K
ifakeng.dll Wed Jun 22 2005 1:09:44a ..S.R 417,792 408.00 K
ihcvid.dll Tue Jun 21 2005 4:20:34p ..S.R 417,792 408.00 K
inseng.dll Mon May 2 2005 4:52:34p A.... 96,256 94.00 K
itircl.dll Thu May 26 2005 10:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 10:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
kgdinmal.dll Tue Jun 21 2005 8:36:24p ..S.R 417,792 408.00 K
mcrdo20.dll Tue Jun 21 2005 8:51:28p ..S.R 417,792 408.00 K
mgoa.dll Tue Jun 21 2005 6:30:30p ..S.R 417,792 408.00 K
mshtml.dll Mon May 2 2005 4:52:36p A.... 3,012,608 2.87 M
mshtmled.dll Mon May 2 2005 4:52:36p A.... 448,512 438.00 K
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
msrating.dll Mon May 2 2005 4:52:36p A.... 146,432 143.00 K
nsl.dll Tue Jun 21 2005 8:37:58p ..S.R 417,792 408.00 K
pngfilt.dll Mon May 2 2005 4:52:36p A.... 39,424 38.50 K
pxcrt.dll Tue Jun 21 2005 7:17:42p ..S.R 417,792 408.00 K
rceuukc.dll Tue Jun 21 2005 2:26:56p A.... 27,648 27.00 K
rspsnd.dll Tue Jun 21 2005 8:38:56p ..S.R 417,792 408.00 K
rxstls.dll Tue Jun 21 2005 7:11:08p A.... 417,792 408.00 K
shdocvw.dll Mon May 2 2005 4:52:36p A.... 1,483,776 1.41 M
shlwapi.dll Mon May 2 2005 4:52:36p A.... 473,600 462.50 K
smclogon.dll Wed Jun 22 2005 12:00:58a ..S.R 417,792 408.00 K
urlmon.dll Mon May 2 2005 4:52:36p A.... 607,744 593.50 K
uvrnn.dll Tue Jun 21 2005 2:26:56p A.... 9,728 9.50 K
wininet.dll Mon May 2 2005 4:52:36p A.... 657,920 642.50 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K
xpsp3res.dll Mon May 16 2005 8:25:36p ..... 15,360 15.00 K

44 items found: 44 files (15 H/S), 0 directories.
Total of file sizes: 20,987,040 bytes 20.01 M
Locate .tmp files:

E:\WINDOWS\SYSTEM32\
guard.tmp Wed Jun 22 2005 11:32:20a ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive E is NTFS-XP
Volume Serial Number is 0CB8-D717

Directory of E:\WINDOWS\System32

06/22/2005 11:32 AM 417,792 guard.tmp
06/22/2005 10:52 AM 417,792 dxsapi.dll
06/22/2005 01:09 AM 417,792 ifakeng.dll
06/22/2005 12:00 AM 417,792 smclogon.dll
06/21/2005 11:33 PM <DIR> dllcache
06/21/2005 11:16 PM 417,792 ibetcomm.dll
06/21/2005 09:27 PM 417,792 dNdim700.dll
06/21/2005 08:56 PM 417,792 ftst30.dll
06/21/2005 08:51 PM 417,792 MCRDO20.DLL
06/21/2005 08:38 PM 417,792 rspsnd.dll
06/21/2005 08:37 PM 417,792 nsl.dll
06/21/2005 08:36 PM 417,792 kgdinmal.dll
06/21/2005 07:17 PM 417,792 pxcrt.dll
06/21/2005 06:30 PM 417,792 mgoa.dll
06/21/2005 05:00 PM 417,792 dtvvox.dll
06/21/2005 04:20 PM 417,792 ihcvid.dll
06/21/2005 02:22 PM 417,792 apvpack.dll
09/24/2003 08:14 PM 11,776 Thumbs.db
05/23/2003 06:57 PM <DIR> Microsoft
17 File(s) 6,696,448 bytes
2 Dir(s) 1,183,240,192 bytes free





And that's it! Whew. I know I'm not done yet, though, because I'm still getting popups.... I'm eagerly awaiting your reply and further help. Thank you so much!
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Miriam

Yes, the pop-ups will soon be gone though.

The VX2 infection on your PC is confirmed.

Close any programmes you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and I'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Firstly could you please disable SpyKiller from running during the fix, it may just hinder our attempts to change anything.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O4 - HKCU\..\Run: [CAS Client] "E:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: Zeno.lnk = E:\WINDOWS\system32\ssysrwd8.exe
O4 - Startup: Zstart.lnk = E:\Documents and Settings\Miriam\Local Settings\Temp\zxinst12.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete this folder (if present) using Windows Explorer:

E:\Program Files\Cas\

Close Windows Explorer.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

E:\WINDOWS\system32\rukmma.exe
E:\WINDOWS\system32\ssysrwd8.exe
E:\Documents and Settings\Miriam\Local Settings\Temp\zxinst12.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

Please delete your temporary files.

Double Click My Computer (WinXP: Navigate to Start >My Computer)

You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window.

On the very first tab (General) you will see a button labelled "Disk Cleanup"...click that button.

Make sure the following are checked:Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder).

Post back a fresh HijackThis log and the L2M log and I will take another look.
  • 0

#5
migr

migr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I'm probably revealing my ignorance by asking this, but I don't have any programs actually called SpyKiller; the programs I have are SpySweeper, SpyBot, AVG, and Ewido. Which of those, if any, do you want me to disable?

Edited by migr, 22 June 2005 - 05:55 PM.

  • 0

#6
migr

migr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Okay, I think I know why you told me to disable SpyKiller - because it shows up on the HijackThis log - but it doesn't seem to exist anymore on the computer, so maybe it was installed a long time ago and then deleted. It's definitely not running, though, so I decided to go ahead and do the rest of what you said.

L2Mfix 1.03

Running From:
E:\Documents and Settings\Miriam\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

E:\Documents and Settings\Miriam\Desktop\l2mfix
System Rebooted!

Running From:
E:\Documents and Settings\Miriam\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 540 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: E:\WINDOWS\system32\apvpack.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\apvpack.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\dNdim700.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\dNdim700.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\dtvvox.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\dtvvox.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\dxsapi.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\dxsapi.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\ftst30.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\ftst30.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\ibetcomm.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\ibetcomm.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\ifakeng.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\ifakeng.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\ihcvid.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\ihcvid.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\kgdinmal.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\kgdinmal.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\MCRDO20.DLL
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\MCRDO20.DLL
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\mgoa.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\mgoa.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\nsl.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\nsl.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\pxcrt.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\pxcrt.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\rspsnd.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\rspsnd.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\rXstls.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\rXstls.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\smclogon.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\smclogon.dll
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: E:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: E:\WINDOWS\system32\apvpack.dll
Successfully Deleted: E:\WINDOWS\system32\apvpack.dll
deleting: E:\WINDOWS\system32\apvpack.dll
Successfully Deleted: E:\WINDOWS\system32\apvpack.dll
deleting: E:\WINDOWS\system32\dNdim700.dll
Successfully Deleted: E:\WINDOWS\system32\dNdim700.dll
deleting: E:\WINDOWS\system32\dNdim700.dll
Successfully Deleted: E:\WINDOWS\system32\dNdim700.dll
deleting: E:\WINDOWS\system32\dtvvox.dll
Successfully Deleted: E:\WINDOWS\system32\dtvvox.dll
deleting: E:\WINDOWS\system32\dtvvox.dll
Successfully Deleted: E:\WINDOWS\system32\dtvvox.dll
deleting: E:\WINDOWS\system32\dxsapi.dll
Successfully Deleted: E:\WINDOWS\system32\dxsapi.dll
deleting: E:\WINDOWS\system32\dxsapi.dll
Successfully Deleted: E:\WINDOWS\system32\dxsapi.dll
deleting: E:\WINDOWS\system32\ftst30.dll
Successfully Deleted: E:\WINDOWS\system32\ftst30.dll
deleting: E:\WINDOWS\system32\ftst30.dll
Successfully Deleted: E:\WINDOWS\system32\ftst30.dll
deleting: E:\WINDOWS\system32\ibetcomm.dll
Successfully Deleted: E:\WINDOWS\system32\ibetcomm.dll
deleting: E:\WINDOWS\system32\ibetcomm.dll
Successfully Deleted: E:\WINDOWS\system32\ibetcomm.dll
deleting: E:\WINDOWS\system32\ifakeng.dll
Successfully Deleted: E:\WINDOWS\system32\ifakeng.dll
deleting: E:\WINDOWS\system32\ifakeng.dll
Successfully Deleted: E:\WINDOWS\system32\ifakeng.dll
deleting: E:\WINDOWS\system32\ihcvid.dll
Successfully Deleted: E:\WINDOWS\system32\ihcvid.dll
deleting: E:\WINDOWS\system32\ihcvid.dll
Successfully Deleted: E:\WINDOWS\system32\ihcvid.dll
deleting: E:\WINDOWS\system32\kgdinmal.dll
Successfully Deleted: E:\WINDOWS\system32\kgdinmal.dll
deleting: E:\WINDOWS\system32\kgdinmal.dll
Successfully Deleted: E:\WINDOWS\system32\kgdinmal.dll
deleting: E:\WINDOWS\system32\MCRDO20.DLL
Successfully Deleted: E:\WINDOWS\system32\MCRDO20.DLL
deleting: E:\WINDOWS\system32\MCRDO20.DLL
Successfully Deleted: E:\WINDOWS\system32\MCRDO20.DLL
deleting: E:\WINDOWS\system32\mgoa.dll
Successfully Deleted: E:\WINDOWS\system32\mgoa.dll
deleting: E:\WINDOWS\system32\mgoa.dll
Successfully Deleted: E:\WINDOWS\system32\mgoa.dll
deleting: E:\WINDOWS\system32\nsl.dll
Successfully Deleted: E:\WINDOWS\system32\nsl.dll
deleting: E:\WINDOWS\system32\nsl.dll
Successfully Deleted: E:\WINDOWS\system32\nsl.dll
deleting: E:\WINDOWS\system32\pxcrt.dll
Successfully Deleted: E:\WINDOWS\system32\pxcrt.dll
deleting: E:\WINDOWS\system32\pxcrt.dll
Successfully Deleted: E:\WINDOWS\system32\pxcrt.dll
deleting: E:\WINDOWS\system32\rspsnd.dll
Successfully Deleted: E:\WINDOWS\system32\rspsnd.dll
deleting: E:\WINDOWS\system32\rspsnd.dll
Successfully Deleted: E:\WINDOWS\system32\rspsnd.dll
deleting: E:\WINDOWS\system32\rXstls.dll
Successfully Deleted: E:\WINDOWS\system32\rXstls.dll
deleting: E:\WINDOWS\system32\rXstls.dll
Successfully Deleted: E:\WINDOWS\system32\rXstls.dll
deleting: E:\WINDOWS\system32\smclogon.dll
Successfully Deleted: E:\WINDOWS\system32\smclogon.dll
deleting: E:\WINDOWS\system32\smclogon.dll
Successfully Deleted: E:\WINDOWS\system32\smclogon.dll
deleting: E:\WINDOWS\system32\guard.tmp
Successfully Deleted: E:\WINDOWS\system32\guard.tmp
deleting: E:\WINDOWS\system32\guard.tmp
Successfully Deleted: E:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: apvpack.dll (140 bytes security) (deflated 48%)
adding: dNdim700.dll (140 bytes security) (deflated 48%)
adding: dtvvox.dll (140 bytes security) (deflated 48%)
adding: dxsapi.dll (140 bytes security) (deflated 48%)
adding: ftst30.dll (140 bytes security) (deflated 48%)
adding: ibetcomm.dll (140 bytes security) (deflated 48%)
adding: ifakeng.dll (140 bytes security) (deflated 48%)
adding: ihcvid.dll (140 bytes security) (deflated 48%)
adding: kgdinmal.dll (140 bytes security) (deflated 48%)
adding: MCRDO20.DLL (140 bytes security) (deflated 48%)
adding: mgoa.dll (140 bytes security) (deflated 48%)
adding: nsl.dll (140 bytes security) (deflated 48%)
adding: pxcrt.dll (140 bytes security) (deflated 48%)
adding: rspsnd.dll (140 bytes security) (deflated 48%)
adding: rXstls.dll (140 bytes security) (deflated 48%)
adding: smclogon.dll (140 bytes security) (deflated 48%)
adding: guard.tmp (140 bytes security) (deflated 48%)
adding: clear.reg (140 bytes security) (deflated 62%)
adding: echo.reg (140 bytes security) (deflated 9%)
adding: direct.txt (140 bytes security) (stored 0%)
adding: lo2.txt (140 bytes security) (deflated 87%)
adding: readme.txt (140 bytes security) (deflated 49%)
adding: report.txt (140 bytes security) (deflated 68%)
adding: test.txt (140 bytes security) (deflated 88%)
adding: test2.txt (140 bytes security) (deflated 43%)
adding: test3.txt (140 bytes security) (deflated 43%)
adding: test5.txt (140 bytes security) (deflated 43%)
adding: xfind.txt (140 bytes security) (deflated 85%)
adding: backregs/7CD61C47-1117-4591-A56B-CB0979D1F74F.reg (140 bytes security) (deflated 70%)
adding: backregs/A36AA7AC-53BD-47DE-AEED-7C57FC59F676.reg (140 bytes security) (deflated 70%)
adding: backregs/A48FAD27-0366-4208-A97E-FDCC1AF9468F.reg (140 bytes security) (deflated 69%)
adding: backregs/B807094F-9C1C-4D0D-80DB-0A726D1CEA7B.reg (140 bytes security) (deflated 70%)
adding: backregs/DDC16DE5-7CB2-46C5-9821-4EFE2047A33A.reg (140 bytes security) (deflated 70%)
adding: backregs/E42506FE-2828-4B1E-AEF3-3ED81B3759F3.reg (140 bytes security) (deflated 70%)
adding: backregs/ECCDC182-06B0-40CE-90B7-85E925C84118.reg (140 bytes security) (deflated 70%)
adding: backregs/FB982D26-5AEF-4A5B-9F83-1458B0C350E0.reg (140 bytes security) (deflated 69%)
adding: backregs/shell.reg (140 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: apvpack.dll
deleting local copy: apvpack.dll
deleting local copy: dNdim700.dll
deleting local copy: dNdim700.dll
deleting local copy: dtvvox.dll
deleting local copy: dtvvox.dll
deleting local copy: dxsapi.dll
deleting local copy: dxsapi.dll
deleting local copy: ftst30.dll
deleting local copy: ftst30.dll
deleting local copy: ibetcomm.dll
deleting local copy: ibetcomm.dll
deleting local copy: ifakeng.dll
deleting local copy: ifakeng.dll
deleting local copy: ihcvid.dll
deleting local copy: ihcvid.dll
deleting local copy: kgdinmal.dll
deleting local copy: kgdinmal.dll
deleting local copy: MCRDO20.DLL
deleting local copy: MCRDO20.DLL
deleting local copy: mgoa.dll
deleting local copy: mgoa.dll
deleting local copy: nsl.dll
deleting local copy: nsl.dll
deleting local copy: pxcrt.dll
deleting local copy: pxcrt.dll
deleting local copy: rspsnd.dll
deleting local copy: rspsnd.dll
deleting local copy: rXstls.dll
deleting local copy: rXstls.dll
deleting local copy: smclogon.dll
deleting local copy: smclogon.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


The following are the files found:
****************************************************************************
E:\WINDOWS\system32\apvpack.dll
E:\WINDOWS\system32\apvpack.dll
E:\WINDOWS\system32\dNdim700.dll
E:\WINDOWS\system32\dNdim700.dll
E:\WINDOWS\system32\dtvvox.dll
E:\WINDOWS\system32\dtvvox.dll
E:\WINDOWS\system32\dxsapi.dll
E:\WINDOWS\system32\dxsapi.dll
E:\WINDOWS\system32\ftst30.dll
E:\WINDOWS\system32\ftst30.dll
E:\WINDOWS\system32\ibetcomm.dll
E:\WINDOWS\system32\ibetcomm.dll
E:\WINDOWS\system32\ifakeng.dll
E:\WINDOWS\system32\ifakeng.dll
E:\WINDOWS\system32\ihcvid.dll
E:\WINDOWS\system32\ihcvid.dll
E:\WINDOWS\system32\kgdinmal.dll
E:\WINDOWS\system32\kgdinmal.dll
E:\WINDOWS\system32\MCRDO20.DLL
E:\WINDOWS\system32\MCRDO20.DLL
E:\WINDOWS\system32\mgoa.dll
E:\WINDOWS\system32\mgoa.dll
E:\WINDOWS\system32\nsl.dll
E:\WINDOWS\system32\nsl.dll
E:\WINDOWS\system32\pxcrt.dll
E:\WINDOWS\system32\pxcrt.dll
E:\WINDOWS\system32\rspsnd.dll
E:\WINDOWS\system32\rspsnd.dll
E:\WINDOWS\system32\rXstls.dll
E:\WINDOWS\system32\rXstls.dll
E:\WINDOWS\system32\smclogon.dll
E:\WINDOWS\system32\smclogon.dll
E:\WINDOWS\system32\guard.tmp
E:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FB982D26-5AEF-4A5B-9F83-1458B0C350E0}"=-
"{7CD61C47-1117-4591-A56B-CB0979D1F74F}"=-
"{E42506FE-2828-4B1E-AEF3-3ED81B3759F3}"=-
"{A48FAD27-0366-4208-A97E-FDCC1AF9468F}"=-
"{A36AA7AC-53BD-47DE-AEED-7C57FC59F676}"=-
"{B807094F-9C1C-4D0D-80DB-0A726D1CEA7B}"=-
"{DDC16DE5-7CB2-46C5-9821-4EFE2047A33A}"=-
"{ECCDC182-06B0-40CE-90B7-85E925C84118}"=-
[-HKEY_CLASSES_ROOT\CLSID\{FB982D26-5AEF-4A5B-9F83-1458B0C350E0}]
[-HKEY_CLASSES_ROOT\CLSID\{7CD61C47-1117-4591-A56B-CB0979D1F74F}]
[-HKEY_CLASSES_ROOT\CLSID\{E42506FE-2828-4B1E-AEF3-3ED81B3759F3}]
[-HKEY_CLASSES_ROOT\CLSID\{A48FAD27-0366-4208-A97E-FDCC1AF9468F}]
[-HKEY_CLASSES_ROOT\CLSID\{A36AA7AC-53BD-47DE-AEED-7C57FC59F676}]
[-HKEY_CLASSES_ROOT\CLSID\{B807094F-9C1C-4D0D-80DB-0A726D1CEA7B}]
[-HKEY_CLASSES_ROOT\CLSID\{DDC16DE5-7CB2-46C5-9821-4EFE2047A33A}]
[-HKEY_CLASSES_ROOT\CLSID\{ECCDC182-06B0-40CE-90B7-85E925C84118}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

And HijackThis: (By the way, I noticed that "O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run" was still there, so I tried to delete it, but when I restarted my computer, it was back again.

Logfile of HijackThis v1.99.1
Scan saved at 9:22:32 PM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\ncdt.exe
D:\Program Files\WinZip\WZQKPICK.EXE
E:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O4 - HKCU\..\Run: [SpyKiller] E:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\WindowsIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://forums.instit...sie/msichat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe
  • 0

#7
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Miriam

I was rather hoping that you had VX2 only, but from your description and the evidence I see, you have another one called Narrator, which we’ll deal with now. It is looking a lot better however. The SpyKiller programme is indeed showing up in your log as a Start-Up procedure, however, it was not there in the first log when I spotted SpySweeper. Since HJT is a snapshot of part of your registry, I have to go with the evidence. We’ll remove the entry this time to see what happens.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O4 - HKCU\..\Run: [SpyKiller] E:\Program Files\SpyKiller\spykiller.exe /startup

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these files (if present) using Windows Explorer:

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\ncdt.exe
E:\WINDOWS\system32\rukmma.exe
E:\Program Files\SpyKiller\spykiller.exe

Close Windows Explorer

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\ncdt.exe
E:\WINDOWS\system32\rukmma.exe
E:\Program Files\SpyKiller\spykiller.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Reboot normally, and then please check to see if E:\WINDOWS\system32\rukmma.exe has been deleted. If it still present, then carry out these additional instructions:

Download rkfiles and unzip the contents to a new folder on your desktop.
Download remv3.zip Make a new folder on the root drive C:\ and unzip remv3.zip files into it.

Run CCleaner programme now and logoff.

REBOOT TO SAFE MODE. These tools MUST be run in Safe Mode!
Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run (please be patient, the window will close when done). It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post., together with a fresh HijackThis log and I will take another look.

Edited by Crustyoldbloke, 23 June 2005 - 11:38 AM.

  • 0

#8
migr

migr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
An interesting thing happened. When I first tried to find the rukmma.exe file, from my user, I couldn't find it - but when I switched over to the Administrator user, I did find it. However, when I tried to delete it, it wouldn't let me, and when I ran it through KillBox as you said I should, upon rebooting, it was back - but again, I could only see from the admin user, not from mine, even though I double-checked that I had revealed all files. I decided, therefore, to run the programs again from the admin user, just in case that would make a difference, but the log files were exactly identical.

Part One:

E:\Documents and Settings\Miriam\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
E:\WINDOWS\system32\PSof1.exe: UPX!
E:\WINDOWS\system32\ugdzvyr.exe: UPX!
E:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

Part Two:

The batch is run from -- C:\remv3

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive E is NTFS-XP
Volume Serial Number is 0CB8-D717

Directory of E:\WINDOWS\system32

msi.dll
Finished

And the hijackthis log (it's still there!):

Logfile of HijackThis v1.99.1
Scan saved at 4:14:11 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\CTHELPER.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\rukmma.exe
E:\WINDOWS\system32\ctfmon.exe
D:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\WindowsIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://forums.instit...sie/msichat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe
  • 0

#9
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Miriam

Thanks for the note about Users. Please carry out all instructions whilst logged on as Administrator, or a user with administrator rights. The new log is exactly as I thought it would be, the Narrator still being present due to other unseen rogue files.

BTW, I will need to see logs from all users, since all have different registries.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these files (if present) using Windows Explorer:

E:\WINDOWS\system32\PSof1.exe
E:\WINDOWS\system32\ugdzvyr.exe
E:\WINDOWS\system32\rukmma.exe

Close Windows Explorer

Please open Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

E:\WINDOWS\system32\rukmma.exe
E:\WINDOWS\system32\PSof1.exe
E:\WINDOWS\system32\ugdzvyr.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

Post back a fresh HijackThis log (from each user, make it obvious to me) and I will take another look.

Edited by Crustyoldbloke, 23 June 2005 - 03:07 PM.

  • 0

#10
migr

migr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
READ MY NEXT POST FIRST, PLEASE!
(I don't want you to waste any of your time, in case the latest development means what I think it means.)

Something weird happend when I tried to delete the rukkma.exe file. At first when I tried to find it on my user, I couldn't, as mentioned before, but when I looked for it in the Admin user, I found it - but it wouldn't let me delete it. So I looked at the file's properties, and checked to make sure that the admin had the right permissions - and I noticed a way to switch the file's "ownership" - and I saw that it was currently set on my user. So I switched it to the Admin user - and it promptly disappeared! When I went back to my own user, it had suddenly appeared there instead. :tazz: I switched ownership back to my own user - and it promptly disappeared again, but I was able to now find it again through the Admin user. At this point, I decided to try something else. I used ewido security suite to end its process that was running, as well as to delete it from the list of files that run on startup, and when I tried to delete it again, it deleted - but it reappeared a couple of seconds later. When I deleted it the second time, it didn't reappear, and I went ahead and followed the rest of the steps - but as you can see, it is still appearing in all of the users hijackthis logs.

Also, in case this is relevent, the pop-ups that have been showing up lately seem to be from something called the "web nexus network" (listed in tiny print at the bottom) and also sometimes have the name "emarketmakers" at the top.

On to the logs:

1. My user (the one that most - or all - of the logs until now have been from):

Logfile of HijackThis v1.99.1
Scan saved at 6:40:12 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\CTHELPER.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\rukmma.exe
E:\WINDOWS\system32\ctfmon.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\WindowsIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://forums.instit...sie/msichat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe

2. The admin user (and just in case this is relevent, this user appears very, very different during a normal startup and a safe mode startup. It has a different name, even a different password, and is missing all of its desktop icons during safe mode startup):

Logfile of HijackThis v1.99.1
Scan saved at 6:42:09 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\CTHELPER.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\rukmma.exe
E:\WINDOWS\system32\ctfmon.exe
C:\xProgram Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\HijackThis\HijackThis.exe
D:\Program Files\WinZip\WZQKPICK.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\xProgram Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\WindowsIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://forums.instit...sie/msichat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe

3. Random User - rarely used, almost never used to go on the Internet

Logfile of HijackThis v1.99.1
Scan saved at 6:37:31 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\CTHELPER.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\rukmma.exe
E:\WINDOWS\system32\ctfmon.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Savings - file://E:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\WindowsIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://forums.instit...sie/msichat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe

4. Another random user, this one practically not used at all; it's there for network related purposes.

Logfile of HijackThis v1.99.1
Scan saved at 6:26:23 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\CTHELPER.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\ncdt.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Web Savings - file://E:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\WindowsIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://forums.instit...sie/msichat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe

5. And yet another user, also used only for network-related purposes.

Logfile of HijackThis v1.99.1
Scan saved at 6:30:18 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\CTHELPER.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\rukmma.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Savings - file://E:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\WindowsIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://forums.instit...sie/msichat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe

6. Just in case this is relevant, we still have Windows 98 on this computer, with stuff stored on it (its files are accessible from 98 through a link). It's virtually never actually opened up, but just in case, I ran one last hijackthis over there as well:

Logfile of HijackThis v1.99.1
Scan saved at 7:51:18 PM, on 6/23/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\CTHELPER.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\PROGRAM FILES\PINNACLE\DV200\EREGISTER\REMIND32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE /run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Pinnacle Systems - miro Family.lnk = C:\Program Files\Pinnacle\DV200\ERegister\Remind32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll


Thanks so much for taking the time to do this - especially with all these users to go through now!

Edited by migr, 23 June 2005 - 06:30 PM.

  • 0

Advertisements


#11
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
It's way past bedtime here. I'll take a closer look tomorrow morning.
  • 0

#12
migr

migr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Good news! I think I've gotten rid of it. I noticed that the popups recently (since getting rid of the other stuff) all had something saying "Web Nexus Network" on the bottom, with a little link saying (in tiny lettering) "uninstall". I decided to take the risk that it was genuine (because it was so unassuming) and clicked it, and it led me to the web-nexus site, and offered an uninstall program. I decided (again) to risk it, because I was getting really fed up with the amount of time it's been taking to get rid of this thing, so I took a deep breath and downloaded and ran the program, then rebooted as told - and when I ran another Hijackthis log, it seems to be clean. But of course, I'm not the expert, so I'm posting it here for you to check over one last time.

Logfile of HijackThis v1.99.1
Scan saved at 9:10:50 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\CTHELPER.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
D:\Program Files\WinZip\WZQKPICK.EXE
E:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\WindowsIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://forums.instit...sie/msichat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe


So far, I haven't gotten any pop-ups. What do you think? (If you have time, could you take a quick look at the above logs as well, the one that I ran for the other users on my computer, to make sure that no one else has anything there that shouldn't be?)

Thanks - and please let me know if my computer's clean. :tazz:
  • 0

#13
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Miriam

Looking at your latest HJT log for user 1, (yourself), that is a clean log. With regard to the other users, Nos. 2 - 5, the common theme is narrator, ergo if that is now gone then they should also be clear of that infection however User 4 also needs a file deletion. Here is the fix:

USER 4:

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following file, and delete it:

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\ncdt.exe

Exit Explorer, and reboot as normal afterwards.

Finally, User 6 (Win98) Fix:

Please set your system to show all files; please see here if you're unsure how to do this.

Close all programmes leaving only HijackThis running. Place a checkmark against the following:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode.

Using Windows Explorer, locate the following file, and delete it:

C:\WINDOWS\web\related.htm

Exit Explorer, and reboot as normal afterwards.

If you can find the time to post fresh logs, I'll find the time to examine them, otherwise I will be happy to advise you on future scanning to prevent re-infection.
  • 0

#14
migr

migr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks so, so much for all your help! I'm so relieved that everything's gone. But just to double-check, here are fresh logs:

From User #4:

Logfile of HijackThis v1.99.1
Scan saved at 10:58:54 AM, on 6/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\CTHELPER.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\HijackThis\HijackThis.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Web Savings - file://E:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\WindowsIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://forums.instit...sie/msichat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe

And from Win98:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:30 AM, on 6/24/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\CTHELPER.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\PROGRAM FILES\PINNACLE\DV200\EREGISTER\REMIND32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE /run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Pinnacle Systems - miro Family.lnk = C:\Program Files\Pinnacle\DV200\ERegister\Remind32.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll


Thanks again! And I'd love to know how I can protect the computer so that something like this doesn't happen again. :tazz:
  • 0

#15
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Miriam

Of the last two logs, Win98 log is clean.

User 4 still has one issue (I missed it last time - sorry):

Please set your system to show all files; please see here if you're unsure how to do this.

Close all programmes leaving only HijackThis running. Place a checkmark against the following:

O8 - Extra context menu item: Web Savings - file://E:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode.

Using Windows Explorer, locate the following folder, and delete it:

E:\Program Files\WebSavingsfromEbates\

Exit Explorer, and reboot as normal afterwards.

Please reply with a log from User 4 and I'll recheck. Hopefully prevention will be my next reply.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP