Hijackthis Log: Please Help Diagnose

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

Hijackthis Log: Please Help Diagnose

#1 Tareeq

New Member

Group: Members
Posts: 7
Joined: 04-November 06

Posted 04 November 2006 - 08:06 PM

helo plz help me

Logfile of HijackThis v1.99.1
Scan saved at 8:57:55 AM, on 11/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Download Manager\fdm.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Athan] "C:\Program Files\Athan\Athan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [LClock] "C:\Program Files\LClock\LClock.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DataLayer] "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [lkz11609] "RUNDLL32.EXE" w3d3f388.dll,n 006116030000000a3d3f388
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] "C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/eliteview.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\n86qlij518o.dll (file missing)
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

#2 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 04 November 2006 - 11:27 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download AVG Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware. Do not run a scan just yet. We will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Clean out your Temporary Internet files.
- Internet Explorer
  - Close Internet Explorer and close any instances of Windows Explorer.
  - Click Start -> Control Panel and then double-click Internet Options.
  - On the General tab, click Delete Files under Temporary Internet Files.
  - In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  - On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  - Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  - Click OK.
- Firefox (In case you also have Firefox installed)
  - Open Firefox and go to Tools -> Options.
  - Click Privacy in the menu on the left side of the Options window.
  - Click the Clear button located to the right of each option (History, Cookies, Cache).
  - Click OK to close the Options window.
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
IMPORTANT: Close all windows and do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess.
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the results of the AVG Anti-Spyware scan report along with a new hijackthis log.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

========================================================

#3 Tareeq

New Member

Group: Members
Posts: 7
Joined: 04-November 06

Posted 05 November 2006 - 05:50 AM

thank you so much for replying in a short period, appreciate it. i've done what you've suggested and im going to post the results, so far it looks good, i mean i dont hear that continous sound of pop-ups being blocked.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:30:41 PM 11/5/2006

+ Scan result:

C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP60\A0008866.exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP62\A0009068.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\Deskbar -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\inst.bat -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010086.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP65\A0010156.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP65\A0010157.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010167.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010168.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010249.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP70\A0011374.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP70\A0011375.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011428.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011491.dll -> Adware.Softomate : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-963894560-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8B28872-3324-4CD2-8AA3-7D555C872D96} -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010093.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010094.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010095.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010096.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010170.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\mc44a47.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\mc44a48.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010171.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP66\A0010172.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011466.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011474.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011467.exe -> Downloader.Adload.hp : Cleaned with backup (quarantined).
C:\nwnmff_e43.exe -> Downloader.Adload.hp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP61\A0008908.exe -> Downloader.Adload.hr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010021.exe -> Downloader.Adload.hr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP63\A0010085.exe -> Downloader.Adload.hr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011421.exe -> Downloader.Adload.ht : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\7zOF6.tmp\WarezP2P.exe -> Downloader.Small : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP16\A0006088.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\89MZ81YZ\xpl[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\2XF20ARJ\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\2XF20ARJ\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\2XF20ARJ\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\2XF20ARJ\popup[6].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\89MZ81YZ\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LI7S9EN\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXEZ01IF\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXEZ01IF\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\DG0ZL501\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\F79NNPOK\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\GV8LXNSI\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\GV8LXNSI\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KNJRY8HX\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KNJRY8HX\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KNJRY8HX\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\M5QFUPUL\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\M5QFUPUL\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\M5QFUPUL\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\OHQ7SH67\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\S1IX87E1\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UA7ACHKL\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\VZIDP13I\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Program Files\MSN\woqyni.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\Messenger\zyse.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011475.exe -> Hijacker.VB.kc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37FD4BB-F6A2-428A-9BCC-DE820D7F1941}\RP71\A0011477.exe -> Hijacker.VB.kc : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tgn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.60:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.95:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.96:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned.
:mozilla.100:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.101:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.102:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.103:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.104:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.99:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.61:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.97:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.98:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
:mozilla.81:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.58:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.56:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.57:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ghwpcy7n.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.

::Report end

#4 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 05 November 2006 - 10:08 AM

That's a good sign! :thumbsup:

Click Start -> Control Panel -> Display
Go to the Desktop tab and click on the Customize Desktop button.
Go to the Web tab
Select anything except "My Current Homepage" and then click the Delete button.

Please post a new hijackthis log.

#5 Tareeq

New Member

Group: Members
Posts: 7
Joined: 04-November 06

Posted 05 November 2006 - 12:34 PM

hi again, i did delete "everything except my current homepage", even though you wrote "ANYTHING" i figured it made more sense being "everything". this is the hijackthis new log

Logfile of HijackThis v1.99.1
Scan saved at 1:29:23 AM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Athan] "C:\Program Files\Athan\Athan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [LClock] "C:\Program Files\LClock\LClock.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DataLayer] "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [lkz11609] "RUNDLL32.EXE" w3d3f388.dll,n 006116030000000a3d3f388
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] "C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/eliteview.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\n86qlij518o.dll (file missing)
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

#6 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 05 November 2006 - 03:51 PM

Yes, you are right it should read "everything". I've corrected that on my end for future posts. Thanks. :thumbsup:

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O4 - HKLM\..\Run: [lkz11609] "RUNDLL32.EXE" w3d3f388.dll,n 006116030000000a3d3f388
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/eliteview.cab
O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\n86qlij518o.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Reboot your computer.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

#7 Tareeq

New Member

Group: Members
Posts: 7
Joined: 04-November 06

Posted 06 November 2006 - 12:43 AM

you are becoming my new best friend :thumbsup:

. did what you have asked and here is what i got

Incident Status Location

Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e31.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e31.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e34.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e34.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e39.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e39.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e41.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e41.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e42.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e42.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e44.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e44.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e45.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e45.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e47.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e47.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e48.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e48.exe[deskbar.exe][deskbar.dll]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade4-3120fc45.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade4-3120fc45.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade4-3120fc45.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade4-3120fc45.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28d8de12-77c3c6de.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28d8de12-77c3c6de.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28d8de12-77c3c6de.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28d8de12-77c3c6de.zip[Beyond.class]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@entrepreneur[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@searchportal.information[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@xiti[1].txt
Security Risk:HackTool/Gendel.A Not disinfected C:\gendel32.exe
Potentially unwanted tool:Application/HideWindow.S Not disinfected C:\WINDOWS\system32\cmdow.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\Zm9yIEhvbWUgVXNlZCBPbmx5\tA6VKH1Svqo0prh5tF1jvAUc.vbs

"AND this is the new Hijackthis log"

Logfile of HijackThis v1.99.1
Scan saved at 1:35:34 PM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Warez\Warez.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Athan] "C:\Program Files\Athan\Athan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [LClock] "C:\Program Files\LClock\LClock.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DataLayer] "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] "C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\n86qlij518o.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

#8 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 06 November 2006 - 06:28 PM

Fix this line with Hijackthis.

O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\n86qlij518o.dll (file missing)

============

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

c:\windows\keyboard1.dat
C:\deskbar_e31.exe
C:\deskbar_e34.exe
C:\deskbar_e39.exe
C:\deskbar_e41.exe
C:\deskbar_e42.exe
C:\deskbar_e44.exe
C:\deskbar_e45.exe
C:\deskbar_e47.exe
C:\deskbar_e48.exe
C:\gendel32.exe
C:\WINDOWS\system32\cmdow.exe
C:\WINDOWS\Zm9yIEhvbWUgVXNlZCBPbmx5\tA6VKH1Svqo0prh5tF1jvAUc.vbs
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.
After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
Post this log in your next reply.

============

We need to update your version of Java.

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 from HERE
- Scroll down to where it says Java Runtime Environment (JRE) 5.0 Update 9
- Click the "Download" button to the right.
- Accept the license agreement.
- Click Windows Offline Installation, Multi-language to download the file.
Once the program has finished downloading:
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - It should have next icon next to it:
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
Go back into the Control Panel and double-click the Java Icon.
- Under Temporary Internet Files, click the Delete Files button.
- There are three options in the window to clear the cache - Leave ALL 3 Checked
  - Downloaded Applets
  - Downloaded Applications
  - Other Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Java Control Panel.

============

Reboot once more and post a new hijackthis log.

#9 Tareeq

New Member

Group: Members
Posts: 7
Joined: 04-November 06

Posted 07 November 2006 - 01:00 AM

hi

This is the log for KillBox

Pocket Killbox version 2.0.0.881
Running on Windows XP as Administrator(Administrator)
was started @ Tuesday, November 07, 2006, 1:09 PM

# 1 [Delete on Reboot]
Path = c:\windows\keyboard1.dat

# 2 [Delete on Reboot]
Path = C:\deskbar_e31.exe

# 3 [Delete on Reboot]
Path = C:\deskbar_e34.exe

# 4 [Delete on Reboot]
Path = C:\deskbar_e39.exe

# 5 [Delete on Reboot]
Path = C:\deskbar_e41.exe

# 6 [Delete on Reboot]
Path = C:\deskbar_e42.exe

# 7 [Delete on Reboot]
Path = C:\deskbar_e44.exe

# 8 [Delete on Reboot]
Path = C:\deskbar_e45.exe

# 9 [Delete on Reboot]
Path = C:\deskbar_e47.exe

# 10 [Delete on Reboot]
Path = C:\deskbar_e48.exe

# 11 [Delete on Reboot]
Path = C:\gendel32.exe

# 12 [Delete on Reboot]
Path = C:\WINDOWS\system32\cmdow.exe

# 13 [Delete on Reboot]
Path = C:\WINDOWS\Zm9yIEhvbWUgVXNlZCBPbmx5\tA6VKH1Svqo0prh5tF1jvAUc.vbs

I Rebooted @ 1:12:36 PM
Killbox Closed(Exit) @ 1:12:48 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Administrator(Administrator)
was started @ Tuesday, November 07, 2006, 1:55 PM

And this is the new HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 1:57:20 PM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Athan] "C:\Program Files\Athan\Athan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LClock] "C:\Program Files\LClock\LClock.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DataLayer] "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] "C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

#10 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 07 November 2006 - 06:05 PM

Your log looks pretty good.
How are things working on your end?

#11 Tareeq

New Member

Group: Members
Posts: 7
Joined: 04-November 06

Posted 07 November 2006 - 06:13 PM

hi, things are looking great so far on my end, although my browsers are loading a bit slower then usual with the same internet connectin that i had earlier. But i would like to thank you and let you know that your time and efforts are appreciated.

can you just please inform me on the best way to keep this malware off my PC, and do i need to uninstall any of the programs that we installed to rid of the malware.

#12 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 08 November 2006 - 08:13 AM

You can get rid of Killbox, it's a specialized tool. But I would recommend keeping AVG Antispyware installed and run periodic scans with it. It's an excellent program.

Let's see if we can speed you up a bit. These are unnecessary programs that are running at startup. Fix these lines with hijackthis to control these items.

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun

Here are some other recommendations for you to keep your computer running smoothly and securely.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup:

#13 Tareeq

New Member

Group: Members
Posts: 7
Joined: 04-November 06

Posted 09 November 2006 - 02:50 AM

will do as advised, thanks again. :thumbsup:

#14 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 09 November 2006 - 06:33 PM

I'm glad I could help you out! :thumbsup:

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.