Hijackthis Log: Please Help Diagnose

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Hijackthis Log: Please Help Diagnose

Options

Tareeq View Member Profile	Nov 4 2006, 08:06 PM Post #1
New Member Group: Members Posts: 7 Joined: 4-November 06 Member No.: 93,859	helo plz help me Logfile of HijackThis v1.99.1 Scan saved at 8:57:55 AM, on 11/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ATKKBService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Athan\Athan.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\LClock\LClock.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Free Download Manager\fdm.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Grisoft\AVG7\avgw.exe C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Athan] "C:\Program Files\Athan\Athan.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [LClock] "C:\Program Files\LClock\LClock.exe" O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [DataLayer] "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [lkz11609] "RUNDLL32.EXE" w3d3f388.dll,n 006116030000000a3d3f388 O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TaskSwitchXP] "C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/eliteview.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\n86qlij518o.dll (file missing) O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

Buckeye_Sam View Member Profile	Nov 4 2006, 11:27 PM Post #2
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download AVG Anti-Spyware and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete you will need run ewido and update the definition files. On the main screen select the icon "Update" then select the "Update now" link. Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Close AVG Anti-Spyware. Do not run a scan just yet. We will shortly. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. Clean out your Temporary Internet files. Internet Explorer Close Internet Explorer and close any instances of Windows Explorer. Click Start -> Control Panel and then double-click Internet Options. On the General tab, click Delete Files under Temporary Internet Files. In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK. On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK. Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK. Click OK. Firefox (In case you also have Firefox installed) Open Firefox and go to Tools -> Options. Click Privacy in the menu on the left side of the Options window. Click the Clear button located to the right of each option (History, Cookies, Cache). Click OK to close the Options window. Alternatively, you can clear all information stored while browsing by clicking Clear All. A confirmation dialog box will be shown before clearing the information. IMPORTANT: Close all windows and do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). Close AVG Anti-Spyware and reboot your system back into Normal Mode. Post the results of the AVG Anti-Spyware scan report along with a new hijackthis log. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Tareeq View Member Profile	Nov 5 2006, 05:50 AM Post #3
New Member Group: Members Posts: 7 Joined: 4-November 06 Member No.: 93,859	thank you so much for replying in a short period, appreciate it. i've done what you've suggested and im going to post the results, so far it looks good, i mean i dont hear that continous sound of pop-ups being blocked. --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 6:30:41 PM 11/5/2006 + Scan result: C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP60\A0008866.exe -> Adware.AdURL : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP62\A0009068.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\Program Files\Deskbar -> Adware.Softomate : Cleaned with backup (quarantined). C:\Program Files\Deskbar\inst.bat -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010086.dll -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP65\A0010156.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP65\A0010157.dll -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010167.dll -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010168.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010249.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP70\A0011374.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP70\A0011375.dll -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011428.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011491.dll -> Adware.Softomate : Cleaned with backup (quarantined). HKU\S-1-5-21-1060284298-963894560-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8B28872-3324-4CD2-8AA3-7D555C872D96} -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010093.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010094.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010095.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010096.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010170.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined). C:\mc44a47.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined). C:\mc44a48.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010171.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010172.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011466.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011474.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011467.exe -> Downloader.Adload.hp : Cleaned with backup (quarantined). C:\nwnmff_e43.exe -> Downloader.Adload.hp : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP61\A0008908.exe -> Downloader.Adload.hr : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010021.exe -> Downloader.Adload.hr : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010085.exe -> Downloader.Adload.hr : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011421.exe -> Downloader.Adload.ht : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\7zOF6.tmp\WarezP2P.exe -> Downloader.Small : Cleaned with backup (quarantined). D:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP16\A0006088.exe -> Downloader.Small : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\89MZ81YZ\xpl[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\2XF20ARJ\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\2XF20ARJ\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\2XF20ARJ\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\2XF20ARJ\popup[6].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\89MZ81YZ\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LI7S9EN\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXEZ01IF\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXEZ01IF\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\DG0ZL501\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\F79NNPOK\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\GV8LXNSI\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\GV8LXNSI\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KNJRY8HX\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KNJRY8HX\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KNJRY8HX\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\M5QFUPUL\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\M5QFUPUL\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\M5QFUPUL\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\OHQ7SH67\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\S1IX87E1\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UA7ACHKL\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\VZIDP13I\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined). C:\Program Files\MSN\woqyni.html -> Hijacker.Small.jf : Cleaned with backup (quarantined). C:\Program Files\Messenger\zyse.html -> Hijacker.Small.jf : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011475.exe -> Hijacker.VB.kc : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011477.exe -> Hijacker.VB.kc : Cleaned with backup (quarantined). :mozilla.92:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tgn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned. :mozilla.60:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned. :mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.95:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned. :mozilla.96:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : Cleaned. :mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Com : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned. :mozilla.100:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.101:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.102:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.103:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.104:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.99:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. :mozilla.61:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Revenue : Cleaned. :mozilla.97:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Revenue : Cleaned. :mozilla.98:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Revenue : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@revenue[1].txt -> TrackingCookie.Revenue : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned. :mozilla.81:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned. :mozilla.58:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.56:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Zedo : Cleaned. :mozilla.57:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Zedo : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@zedo[1].txt -> TrackingCookie.Zedo : Cleaned. ::Report end

Buckeye_Sam View Member Profile	Nov 5 2006, 10:08 AM Post #4
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	That's a good sign! Click Start -> Control Panel -> Display Go to the Desktop tab and click on the Customize Desktop button. Go to the Web tab Select anything except "My Current Homepage" and then click the Delete button. Please post a new hijackthis log. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Tareeq View Member Profile	Nov 5 2006, 12:34 PM Post #5
New Member Group: Members Posts: 7 Joined: 4-November 06 Member No.: 93,859	hi again, i did delete "everything except my current homepage", even though you wrote "ANYTHING" i figured it made more sense being "everything". this is the hijackthis new log Logfile of HijackThis v1.99.1 Scan saved at 1:29:23 AM, on 11/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Athan\Athan.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\LClock\LClock.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\ATKKBService.exe C:\Program Files\Free Download Manager\fdm.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Athan] "C:\Program Files\Athan\Athan.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [LClock] "C:\Program Files\LClock\LClock.exe" O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [DataLayer] "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [lkz11609] "RUNDLL32.EXE" w3d3f388.dll,n 006116030000000a3d3f388 O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TaskSwitchXP] "C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/eliteview.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\n86qlij518o.dll (file missing) O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

Buckeye_Sam View Member Profile	Nov 5 2006, 03:51 PM Post #6
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Yes, you are right it should read "everything". I've corrected that on my end for future posts. Thanks. Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file) O4 - HKLM\..\Run: [lkz11609] "RUNDLL32.EXE" w3d3f388.dll,n 006116030000000a3d3f388 O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/eliteview.cab O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\n86qlij518o.dll (file missing) O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) Reboot your computer. Please go HERE to run Panda's ActiveScan Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on My Computer to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Tareeq View Member Profile	Nov 6 2006, 12:43 AM Post #7
New Member Group: Members Posts: 7 Joined: 4-November 06 Member No.: 93,859	you are becoming my new best friend . did what you have asked and here is what i got Incident Status Location Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat Spyware:spyware/searchcentrix Not disinfected Windows Registry Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e31.exe[deskbar.exe] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e31.exe[deskbar.exe][deskbar.dll] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e34.exe[deskbar.exe] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e34.exe[deskbar.exe][deskbar.dll] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e39.exe[deskbar.exe] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e39.exe[deskbar.exe][deskbar.dll] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e41.exe[deskbar.exe] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e41.exe[deskbar.exe][deskbar.dll] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e42.exe[deskbar.exe] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e42.exe[deskbar.exe][deskbar.dll] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e44.exe[deskbar.exe] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e44.exe[deskbar.exe][deskbar.dll] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e45.exe[deskbar.exe] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e45.exe[deskbar.exe][deskbar.dll] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e47.exe[deskbar.exe] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e47.exe[deskbar.exe][deskbar.dll] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e48.exe[deskbar.exe] Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e48.exe[deskbar.exe][deskbar.dll] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade4-3120fc45.zip[BlackBox.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade4-3120fc45.zip[VerifierBug.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade4-3120fc45.zip[Dummy.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade4-3120fc45.zip[Beyond.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28d8de12-77c3c6de.zip[BlackBox.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28d8de12-77c3c6de.zip[VerifierBug.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28d8de12-77c3c6de.zip[Dummy.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28d8de12-77c3c6de.zip[Beyond.class] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@entrepreneur[1].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@searchportal.information[2].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@xiti[1].txt Security Risk:HackTool/Gendel.A Not disinfected C:\gendel32.exe Potentially unwanted tool:Application/HideWindow.S Not disinfected C:\WINDOWS\system32\cmdow.exe Adware:Adware/CommAd Not disinfected C:\WINDOWS\Zm9yIEhvbWUgVXNlZCBPbmx5\tA6VKH1Svqo0prh5tF1jvAUc.vbs "AND this is the new Hijackthis log" Logfile of HijackThis v1.99.1 Scan saved at 1:35:34 PM, on 11/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Athan\Athan.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\LClock\LClock.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Free Download Manager\fdm.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe C:\Program Files\uTorrent\utorrent.exe C:\Program Files\Warez\Warez.exe C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Athan] "C:\Program Files\Athan\Athan.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [LClock] "C:\Program Files\LClock\LClock.exe" O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [DataLayer] "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TaskSwitchXP] "C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\n86qlij518o.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

Buckeye_Sam View Member Profile	Nov 6 2006, 06:28 PM Post #8
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Fix this line with Hijackthis. O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\n86qlij518o.dll (file missing) ============ Please download the Killbox by Option^Explicit. Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button. Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): c:\windows\keyboard1.dat C:\deskbar_e31.exe C:\deskbar_e34.exe C:\deskbar_e39.exe C:\deskbar_e41.exe C:\deskbar_e42.exe C:\deskbar_e44.exe C:\deskbar_e45.exe C:\deskbar_e47.exe C:\deskbar_e48.exe C:\gendel32.exe C:\WINDOWS\system32\cmdow.exe C:\WINDOWS\Zm9yIEhvbWUgVXNlZCBPbmx5\tA6VKH1Svqo0prh5tF1jvAUc.vbs Return to Killbox, go to the File menu, and choose Paste from Clipboard. Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!). If your computer does not restart automatically, please restart it manually. After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log Post this log in your next reply. ============ We need to update your version of Java. Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 from HERE Scroll down to where it says Java Runtime Environment (JRE) 5.0 Update 9 Click the "Download" button to the right. Accept the license agreement. Click Windows Offline Installation, Multi-language to download the file. Once the program has finished downloading: Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have next icon next to it: Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version. Go back into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. ============ Reboot once more and post a new hijackthis log. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Tareeq View Member Profile	Nov 7 2006, 01:00 AM Post #9
New Member Group: Members Posts: 7 Joined: 4-November 06 Member No.: 93,859	hi This is the log for KillBox Pocket Killbox version 2.0.0.881 Running on Windows XP as Administrator(Administrator) was started @ Tuesday, November 07, 2006, 1:09 PM # 1 [Delete on Reboot] Path = c:\windows\keyboard1.dat # 2 [Delete on Reboot] Path = C:\deskbar_e31.exe # 3 [Delete on Reboot] Path = C:\deskbar_e34.exe # 4 [Delete on Reboot] Path = C:\deskbar_e39.exe # 5 [Delete on Reboot] Path = C:\deskbar_e41.exe # 6 [Delete on Reboot] Path = C:\deskbar_e42.exe # 7 [Delete on Reboot] Path = C:\deskbar_e44.exe # 8 [Delete on Reboot] Path = C:\deskbar_e45.exe # 9 [Delete on Reboot] Path = C:\deskbar_e47.exe # 10 [Delete on Reboot] Path = C:\deskbar_e48.exe # 11 [Delete on Reboot] Path = C:\gendel32.exe # 12 [Delete on Reboot] Path = C:\WINDOWS\system32\cmdow.exe # 13 [Delete on Reboot] Path = C:\WINDOWS\Zm9yIEhvbWUgVXNlZCBPbmx5\tA6VKH1Svqo0prh5tF1jvAUc.vbs I Rebooted @ 1:12:36 PM Killbox Closed(Exit) @ 1:12:48 PM __________________________________________________ Pocket Killbox version 2.0.0.881 Running on Windows XP as Administrator(Administrator) was started @ Tuesday, November 07, 2006, 1:55 PM And this is the new HijackThis log Logfile of HijackThis v1.99.1 Scan saved at 1:57:20 PM, on 11/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Athan\Athan.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\LClock\LClock.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Free Download Manager\fdm.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Athan] "C:\Program Files\Athan\Athan.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LClock] "C:\Program Files\LClock\LClock.exe" O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [DataLayer] "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TaskSwitchXP] "C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

Buckeye_Sam View Member Profile	Nov 7 2006, 06:05 PM Post #10
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Your log looks pretty good. How are things working on your end? -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Tareeq View Member Profile	Nov 7 2006, 06:13 PM Post #11
New Member Group: Members Posts: 7 Joined: 4-November 06 Member No.: 93,859	hi, things are looking great so far on my end, although my browsers are loading a bit slower then usual with the same internet connectin that i had earlier. But i would like to thank you and let you know that your time and efforts are appreciated. can you just please inform me on the best way to keep this malware off my PC, and do i need to uninstall any of the programs that we installed to rid of the malware.

Buckeye_Sam View Member Profile	Nov 8 2006, 08:13 AM Post #12
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	You can get rid of Killbox, it's a specialized tool. But I would recommend keeping AVG Antispyware installed and run periodic scans with it. It's an excellent program. Let's see if we can speed you up a bit. These are unnecessary programs that are running at startup. Fix these lines with hijackthis to control these items. O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun Here are some other recommendations for you to keep your computer running smoothly and securely. Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned. You can find instructions on how to enable and reenable system restore here: Managing Windows Millenium System Restore or Windows XP System Restore Guide Renable system restore with instructions from tutorial above Make your Internet Explorer more secure - This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialize and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below: Understanding and Using Firewalls Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here: Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using SpywareBlaster to protect your computer from Spyware and Malware Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Tareeq View Member Profile	Nov 9 2006, 02:50 AM Post #13
New Member Group: Members Posts: 7 Joined: 4-November 06 Member No.: 93,859	will do as advised, thanks again.

Buckeye_Sam View Member Profile	Nov 9 2006, 06:33 PM Post #14
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	I'm glad I could help you out! Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides