Trying To Fix Lots Of Problems

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

Trying To Fix Lots Of Problems Please tell me whats next step

#1 Braxton

Member

Group: Members
Posts: 45
Joined: 12-March 07

Posted 15 March 2007 - 07:16 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:11:38 PM, on 3/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDownload\BitDownload.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ellen Klaas\Local Settings\Temp\wzfae6\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ellen Klaas\Application Data\Mozilla\Profiles\default\e2cejbrb.slt\prefs.js)
O2 - BHO: (no name) - 0@49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - `@18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: 0 - {8F459AC4-F12B-47D8-A3A8-6F38B8428986} - C:\Program Files\Messenger\zykisuh.dll (file missing)
O2 - BHO: (no name) - {AAC1DD41-6398-4B98-AF5A-CE8DA31075BB} - C:\Program Files\WindowsUpdate\vixyz.dll
O2 - BHO: (no name) - @5122B-85FF-4DD3-9515-F075BEDE5EB5} - (no file)
O2 - BHO: (no name) - ¨¨2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [win3207618104677] C:\WINDOWS\win3207618104677.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitDownload] "C:\Program Files\BitDownload\BitDownload.exe" /minimized
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {695B78FF-42C1-408A-9ADB-2030061FA94B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Any help will be appreciated.
I ran bit defender but it never would finish.
Thanks in advance

#2 RichieUK

Malware Assassin

Group: Malware Response Team
Posts: 13,612
Joined: 13-July 06

Posted 15 March 2007 - 07:35 PM

Welcome to the BleepingComputer HijackThis forum Braxton :thumbsup:

Please move HijackThis to a permanent folder on the hard drive such as C:\HJT.
Create a new folder and place your HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse the line entry deletion if found to be necessary. If HijackThis is used from a temp folder it is in danger of being accidentally deleted by Disk Cleanup or similar tools.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

***************************

Wow,you've certainly got some problems there.
For starters go here and follow the instructions to remove DeluxeCommunications:
http://www.bleepingcomputer.com/forums/topic66364.html

When you've finished that,restart your pc and post a new Hijackthis log into your next reply.

#3 Braxton

Member

Group: Members
Posts: 45
Joined: 12-March 07

Posted 15 March 2007 - 08:16 PM

I am going to sound like an idiot but that program is no where to be found i tried to find every way i know how. Any suggestions?

Thanks

#4 Braxton

Member

Group: Members
Posts: 45
Joined: 12-March 07

Posted 15 March 2007 - 08:22 PM

im talking about deluxecommunications. There is no folder under program files and searched and cannot find anything. I saved the hi jack this to my desktop so i shouldnt have that problem any longer. Thanks

#5 RichieUK

Malware Assassin

Group: Malware Response Team
Posts: 13,612
Joined: 13-July 06

Posted 15 March 2007 - 08:41 PM

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - 0@49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - `@18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: 0 - {8F459AC4-F12B-47D8-A3A8-6F38B8428986} - C:\Program Files\Messenger\zykisuh.dll (file missing)
O2 - BHO: (no name) - {AAC1DD41-6398-4B98-AF5A-CE8DA31075BB} - C:\Program Files\WindowsUpdate\vixyz.dll
O2 - BHO: (no name) - @5122B-85FF-4DD3-9515-F075BEDE5EB5} - (no file)
O2 - BHO: (no name) - ¨¨2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [win3207618104677] C:\WINDOWS\win3207618104677.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll

Find and delete if present:
C:\Program Files\WindowsUpdate
C:\WINDOWS\win3207618104677.exe
dxclib303562752.dll

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

*******************************

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.

Post the AVG Anti Spyware report,the BitDefender Online Scanner log, and a new Hijackthis log into your next reply please.

#6 Braxton

Member

Group: Members
Posts: 45
Joined: 12-March 07

Posted 16 March 2007 - 12:02 PM

BitDefender Online Scanner

Scan report generated at: Fri, Mar 16, 2007 - 11:53:13

Scan path: A:\;C:\;D:\;E:\;F:\;G:\;

Statistics

Time
04:34:28

Files
581797

Folders
4142

Boot Sectors
5

Archives
8283

Packed Files
71020

Results

Identified Viruses
5

Infected Files
13

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
13

Engines Info

Virus Definitions
405404

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\F0MKZF8V\popup[1].htm
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\F0MKZF8V\popup[1].htm
Disinfection failed

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\F0MKZF8V\popup[1].htm
Deleted

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\GXKY3BCM\popup[1].htm
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\GXKY3BCM\popup[1].htm
Disinfection failed

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\GXKY3BCM\popup[1].htm
Deleted

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\KMJFXJKX\popup[1].htm
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\KMJFXJKX\popup[1].htm
Disinfection failed

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\KMJFXJKX\popup[1].htm
Deleted

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\RYT1ZOKZ\popup[1].htm
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\RYT1ZOKZ\popup[1].htm
Disinfection failed

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\RYT1ZOKZ\popup[1].htm
Deleted

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\TVRDHRQ9\popup[1].htm
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\TVRDHRQ9\popup[1].htm
Disinfection failed

C:\Documents and Settings\Ellen Klaas\Local Settings\Temporary Internet Files\Content.IE5\TVRDHRQ9\popup[1].htm
Deleted

C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
Detected with: Adware.Mywebsearch.G

C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
Disinfection failed

C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
Deleted

C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
Detected with: Adware.Mywebsearch.G

C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
Disinfection failed

C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
Deleted

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP830\A0054893.exe=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.Purityscan.C

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP830\A0054893.exe=>(NSIS o)=>zlib_nsis0001
Disinfection failed

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP830\A0054893.exe=>(NSIS o)=>zlib_nsis0001
Deleted

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP830\A0054893.exe=>(NSIS o)
Update failed

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP838\A0054970.exe
Infected with: Trojan.FatObfus.Gen

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP838\A0054970.exe
Disinfection failed

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP838\A0054970.exe
Deleted

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0054980.exe=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.Purityscan.C

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0054980.exe=>(NSIS o)=>zlib_nsis0001
Disinfection failed

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0054980.exe=>(NSIS o)=>zlib_nsis0001
Deleted

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0054980.exe=>(NSIS o)
Update failed

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055167.DLL
Detected with: Adware.Mywebsearch.G

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055167.DLL
Disinfection failed

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055167.DLL
Deleted

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055168.DLL
Detected with: Adware.Mywebsearch.G

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055168.DLL
Disinfection failed

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055168.DLL
Deleted

C:\WINDOWS\system32\bund1\ClientBundle1.exe=>(NSIS o)=>zlib_nsis0005
Infected with: Dropped:Application.Adware.NewDotNet.B

C:\WINDOWS\system32\bund1\ClientBundle1.exe=>(NSIS o)=>zlib_nsis0005
Disinfection failed

C:\WINDOWS\system32\bund1\ClientBundle1.exe=>(NSIS o)=>zlib_nsis0005
Deleted

C:\WINDOWS\system32\bund1\ClientBundle1.exe=>(NSIS o)
Update failed

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:01:49 AM 3/16/2007

+ Scan result:

C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP842\A0055077.dll -> Adware.404Search : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{304EC1B1-04AB-1033-1018-010430200001}\UnInstall.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{304EC1B1-04AB-1033-1018-010430200001}\system.dll -> Adware.888Bar : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{304EC1B1-04AC-1033-1018-010430200001}\system.dll -> Adware.888Bar : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc1\UnInstall.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc2\UnInstall.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc2\system.dll -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP829\A0054832.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP829\A0054850.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP833\A0054914.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP836\A0054957.dll -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP836\A0054958.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP836\A0054960.dll -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP836\A0054962.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0055060.dll -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0055061.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP842\A0055073.dll -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055113.dll -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055114.dll -> Adware.888Bar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP830\A0054874.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0055022.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0055023.exe -> Adware.Altnet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0055024.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0055025.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0055026.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0055027.dll -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
C:\Program Files\INSTAFINK -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP816\A0053650.DLL -> Adware.IESearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP819\A0053699.dll -> Adware.IESearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0055034.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0055035.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055116.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055117.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055118.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP816\A0053626.cpl -> Adware.P2PNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP828\A0054824.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP830\A0054865.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP830\A0054866.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP833\A0054940.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP833\A0054941.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP816\A0053647.dll -> Adware.RXBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP816\A0053648.dll -> Adware.RXToolbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP836\A0054959.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP842\A0055074.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP842\A0055076.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP842\A0055078.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055110.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055106.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055121.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055122.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055123.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055124.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070315-214407-682.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP834\A0054948.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0054988.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP840\A0055048.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055111.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@getmusicfree.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@grouplotto.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@paidmarketingpanel.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@prizeamerica.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@psu.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.11:C:\Documents and Settings\Ellen Klaas\Application Data\Mozilla\Profiles\default\e2cejbrb.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@ehg-financialaid.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@ehg-hollywoodmedia.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@ehg-maniatv.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@ehg-vmixmediainc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@search.live[2].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@server.lon.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.13:C:\Documents and Settings\Ellen Klaas\Application Data\Mozilla\Profiles\default\e2cejbrb.slt\cookies.txt -> TrackingCookie.Paycounter : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.9:C:\Documents and Settings\Ellen Klaas\Application Data\Mozilla\Profiles\default\e2cejbrb.slt\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.15:C:\Documents and Settings\Ellen Klaas\Application Data\Mozilla\Profiles\default\e2cejbrb.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.16:C:\Documents and Settings\Ellen Klaas\Application Data\Mozilla\Profiles\default\e2cejbrb.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Ellen Klaas\Cookies\ellen_klaas@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP828\A0054827.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP830\A0054867.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP833\A0054930.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP833\A0054942.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64048D71-13DE-4C05-A279-14417CE9CA99}\RP843\A0055120.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Program Files\outlook\v.tmp -> Worm.VB.dw : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 11:59:01 AM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDownload\BitDownload.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ellen Klaas\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ellen Klaas\Application Data\Mozilla\Profiles\default\e2cejbrb.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitDownload] "C:\Program Files\BitDownload\BitDownload.exe" /minimized
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {695B78FF-42C1-408A-9ADB-2030061FA94B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Thanks for the help
Whats the next step???
bitdefender said i was still infected when it finally finished.

Braxton

#7 RichieUK

Malware Assassin

Group: Malware Response Team
Posts: 13,612
Joined: 13-July 06

Posted 16 March 2007 - 12:43 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
Exit Hijackthis.

**********************************

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols3.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.
Restart your pc,post a new Hijackthis log as well please.

#8 Braxton

Member

Group: Members
Posts: 45
Joined: 12-March 07

Posted 18 March 2007 - 08:16 PM

Scanning Report
Saturday, March 17, 2007 21:20:45 - 06:52:25
Computer name: ELLENKLAAS
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ G:\

--------------------------------------------------------------------------------

Result: 5 malware found
Adware.Agent (spyware)
System (Disinfected)
NetworkWorm.QY (virus)
C:\WINDOWS\system32\bund1\Yzz.exe
Trojan-Downloader.Win32.PurityScan.dx (virus)
C:\Documents and Settings\Ellen Klaas\Local Settings\Temp\sdexe.0xe
Trojan.Win32.VB.tg (virus)
C:\WINDOWS\system32\bund1\ClientBundle1.0xe
C:\WINDOWS\system32\bund1\mac.0xe

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 172852
System: 4923
Not scanned: 56
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 4
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\8COL8XL8.TMP
C:\WINDOWS\TEMP\JDB842JF.TMP
C:\WINDOWS\TEMP\N80R1A76.TMP
C:\WINDOWS\TEMP\OMKM7OSW.TMP
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_188.DAT
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_1B8.DAT
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_320.DAT
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_330.DAT
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_364.DAT
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_420.DAT
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_7D4.DAT
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_82C.DAT
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_CC4.DAT
C:\WINDOWS\TEMP\SLB6U2CG.TMP
C:\WINDOWS\TEMP\U1S3PJCR.TMP
C:\WINDOWS\TEMP\XEDE1IV1.TMP
C:\WINDOWS\TEMP\Y3KMZMRT.TMP
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
C:\WINDOWS\I386\BIOS1.RO_
C:\PROGRAM FILES\NEED2FIND\BAR\HISTORY\SEARCH
C:\PROGRAM FILES\MORPHEUSBAR\BAR\HISTORY\SEARCH2
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn
C:\Program Files\Intuit\QuickBooks 2006\Components\PConfig\Data1.cab\arrow.gif1
C:\PROGRAM FILES\INTUIT\QUICKBOOKS 2006\COMPONENTS\NAVIGATOR\IMAGES\CST\ARROW1.GIF
C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI\stream 19\AdAware_SE_default.ask\Ad-Aware SE Default.skn
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZF612707.CAB\REFSPCL.TTF
C:\DOCUMENTS AND SETTINGS\OWNER\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\NTUSER.DAT
C:\Documents and Settings\Ellen Klaas\Local Settings\Temp\2156a04.msi\stream 19\AdAware_SE_default.ask\Ad-Aware SE Default.skn
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\LOCAL SETTINGS\TEMP\ACR7B86.TMP
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\LOCAL SETTINGS\TEMP\ACR7B9A.TMP
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\LOCAL SETTINGS\TEMP\~DF69C2.TMP
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBDAM
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBEAM
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\DESKTOP\SONGS\SONGS2\JENNIFER LOPEZ FEAT. LOX - JENNY FROM THE BLOCK.MP3
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\DESKTOP\SONGS\SONGS2\JURASSIC 5 - WHAT'S GOLDEN.MP3
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\DESKTOP\SONGS\SONGS2\SNOOP DOGG F NEPTUNES - THATS THE bleep (1).MP3
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\APPLICATION DATA\MOZILLA\PROFILES\DEFAULT\E2CEJBRB.SLT\NEWCACHE\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\APPLICATION DATA\MOZILLA\PROFILES\DEFAULT\E2CEJBRB.SLT\NEWCACHE\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\APPLICATION DATA\BITDOWNLOAD\STORAGE\EFS.DAT
C:\DOCUMENTS AND SETTINGS\ELLEN KLAAS\APPLICATION DATA\BITDOWNLOAD\STORAGE\STORAGES.DAT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NETSCAPE INTERNET SERVICE\PBK.DAT.IDX
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-15-2007 - 17-11-38.SBU\{01C06AE1-EB10-4EAD-B929-A529011EBCEA}

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-03-16
F-Secure AVP: 7.0.171, 2007-03-16
F-Secure Orion: 1.2.37, 2007-03-16
F-Secure Blacklight: 1.0.53, 0000-00-00
F-Secure Draco: 1.0.35, 2007-03-13
F-Secure Pegasus: 1.19.0, 2007-02-14
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

Logfile of HijackThis v1.99.1
Scan saved at 7:12:09 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDownload\BitDownload.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ellen Klaas\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ellen Klaas\Application Data\Mozilla\Profiles\default\e2cejbrb.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitDownload] "C:\Program Files\BitDownload\BitDownload.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {695B78FF-42C1-408A-9ADB-2030061FA94B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Thanks again

#9 RichieUK

Malware Assassin

Group: Malware Response Team
Posts: 13,612
Joined: 13-July 06

Posted 19 March 2007 - 02:30 AM

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Note:
It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Also post a new Hijackthis log and let me know how your pc is running now please.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

#10 Braxton

Member

Group: Members
Posts: 45
Joined: 12-March 07

Posted 19 March 2007 - 04:15 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:09:23 PM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDownload\BitDownload.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ellen Klaas\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ellen Klaas\Application Data\Mozilla\Profiles\default\e2cejbrb.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitDownload] "C:\Program Files\BitDownload\BitDownload.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {695B78FF-42C1-408A-9ADB-2030061FA94B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

"Ellen Klaas" - 07-03-19 5:17:55 Service Pack 2
ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Ellen Klaas\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\Bund1\ClientBundle1.0xe
C:\WINDOWS\system32\Bund1\mac.0xe
C:\WINDOWS\system32\Bund1\temp.txt
C:\WINDOWS\system32\Bund1\Yzz.exe
C:\WINDOWS\system32\Bund1\zq.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\REGEDIT.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\Common Files\{304EC~1
C:\Program Files\Common Files\{304EC~2
C:\Program Files\outlook
C:\WINDOWS\system32\Bund1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\ELLENK~1
C:\qoobox\purity\DOCUME~1\ELLENK~1\APPLIC~1
C:\qoobox\purity\DOCUME~1\ELLENK~1\MYDOCU~1
C:\qoobox\purity\DOCUME~1\ELLENK~1\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\ELLENK~1\APPLIC~1\RACLE~1
C:\qoobox\purity\DOCUME~1\ELLENK~1\MYDOCU~1\from.txt
C:\qoobox\purity\DOCUME~1\ELLENK~1\MYDOCU~1\ICROSO~1.NET
C:\qoobox\purity\WINDOWS\RACLE~1
C:\qoobox\purity\WINDOWS\YMBOLS~1
C:\qoobox\purity\WINDOWS\system32\ASEMBL~1
C:\qoobox\purity\WINDOWS\system32\CROSOF~1

((((((((((((((((((((((((((((((( Files Created from 2007-02-19 to 2007-03-19 ))))))))))))))))))))))))))))))))))

2007-03-15 21:27 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-15 17:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-03-15 15:49 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-15 15:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-03-15 15:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-15 13:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-03-15 13:06 <DIR> d-------- C:\DOCUME~1\ELLENK~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-15 13:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-15 07:12 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-15 07:12 <DIR> d-------- C:\DOCUME~1\ELLENK~1\APPLIC~1\Lavasoft
2007-03-15 07:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-14 21:11 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-12 18:50 212 --a------ C:\delete.bat
2007-03-10 22:05 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-03-05 21:11 <DIR> d-------- C:\Program Files\LimeWire
2007-03-02 13:59 53,248 --a------ C:\WINDOWS\uni_eh10.exe
2007-02-27 07:14 <DIR> d-------- C:\divx
2007-02-27 07:04 <DIR> d-------- C:\DOCUME~1\ELLENK~1\APPLIC~1\DivX
2007-02-27 06:57 <DIR> d-------- C:\Program Files\DivX
2007-02-26 22:26 77,891 --a------ C:\WINDOWS\system32\usrmlnka.exe
2007-02-26 22:26 73,796 --a------ C:\WINDOWS\system32\slserv.exe
2007-02-26 22:26 69,700 --a------ C:\WINDOWS\system32\usrshuta.exe
2007-02-26 22:26 61,508 --a------ C:\WINDOWS\system32\usrprbda.exe
2007-02-26 22:26 193,024 --a------ C:\WINDOWS\system32\fsquirt.exe
2007-02-26 22:21 <DIR> d--hs---- C:\DOCUME~1\ELLENK~1\Complete
2007-02-26 22:14 <DIR> d-------- C:\DOCUME~1\ELLENK~1\APPLIC~1\BitDownload
2007-02-26 22:13 <DIR> d-------- C:\Program Files\BitDownload
2007-02-26 17:12 <DIR> d-------- C:\DOCUME~1\ELLENK~1\Shared
2007-02-26 17:12 <DIR> d-------- C:\DOCUME~1\ELLENK~1\Incomplete
2007-02-26 17:08 <DIR> d-------- C:\Program Files\Java
2007-02-26 17:07 <DIR> d-------- C:\Program Files\Common Files\Java

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-15 15:43 -------- d-------- C:\Program Files\messenger
2007-03-14 21:26 -------- d-------- C:\Program Files\partypoker
2007-03-11 19:00 -------- d-------- C:\DOCUME~1\ELLENK~1\APPLIC~1\ripit4me
2007-03-07 20:01 -------- d-------- C:\Program Files\yahoo!
2007-03-02 19:15 -------- d-------- C:\Program Files\google
2007-02-27 20:58 -------- d--h----- C:\Program Files\installshield installation information
2007-02-27 20:39 821 --a------ C:\DOCUME~1\ELLENK~1\APPLIC~1\adobedlm.log
2007-02-27 06:44 120 --a------ C:\DOCUME~1\ELLENK~1\APPLIC~1\fixvts.ini
2007-02-16 17:00 10 --a------ C:\WINDOWS\smdat32m.sys
2007-02-16 16:59 -------- d-------- C:\Program Files\morpheusbar
2007-02-16 16:59 -------- d-------- C:\Program Files\morpheus
2007-02-16 12:55 0 --a------ C:\WINDOWS\smdat32a.sys
2007-02-16 12:53 -------- d-------- C:\Program Files\need2find
2007-02-11 20:42 -------- d-------- C:\Program Files\itunes
2007-02-11 20:42 -------- d-------- C:\Program Files\ipod
2007-02-11 20:41 -------- d-------- C:\Program Files\quicktime
2007-02-06 21:43 -------- d-------- C:\Program Files\egames
2007-02-06 21:40 -------- d-------- C:\Program Files\slysoft
2007-02-06 19:43 40 ---hs---- C:\DOCUME~1\ELLENK~1\APPLIC~1\.zreglib

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitDownload"="\"C:\\Program Files\\BitDownload\\BitDownload.exe\" /minimized"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button Support\\StartEAK.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Bluetooth.lnk"
"backup"="C:\\WINDOWS\\pss\\Bluetooth.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WIDCOMM\\BLUETO~1\\BTTray.exe "
"item"="Bluetooth"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\Microsoft Office\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ellen Klaas^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path"="C:\\Documents and Settings\\Ellen Klaas\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aaou]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="chkdsk"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\ELLENK~1\\MYDOCU~1\\YSTEM~1\\chkdsk.exe\" -vt yazb"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BitDownload"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitDownload\\BitDownload.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlmMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeDownloadManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe\" restart=1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fm3032"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark 4200 Series\\Fax\\fm3032.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fcahsv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="??xplore"
"hkey"="HKCU"
"command"="\"C:\\Documents and Settings\\Ellen Klaas\\My Documents\\?icrosoft.NET\\??xplore.exe\" 99001396"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\help mail list setup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Biasinter"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\All Users\\Application Data\\Test Eggs Help Mail\\Biasinter.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbmbmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark 4200 Series\\lxbmbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WaitGlue]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daleseek"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\ELLENK~1\\APPLIC~1\\ACELES~1\\daleseek.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="coloreal"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ https://mail.wku.edu/Session/121867-1P7huQ5...-11-06_1156.jpg

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ C:\Program Files\Messenger\disohdob.html

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-19 5:30:06

Computer is running ok kind of slow actually But all pop-ups are gone. I keep seeing bitdownload do you know what this is? Also I have alot on my desktop about 21 icons of things that i have been downloading and running. What should i do wiht these now. Thanks as always
Braxton

And i get this pop up when i restart evrey time
Version 1.5.4.9107 is available
- General: Memory Management Improved
- Browser: IE6 support, favorite icons support updated, torrents now come directly to transfer, freezes on long operations fixed
- Browser: Integrated Browser Fixes
- Preferences: Updates to Preference Pane
Download?
What should i do?

Thanks

This post has been edited by Braxton: 19 March 2007 - 04:23 PM

#11 RichieUK

Malware Assassin

Group: Malware Response Team
Posts: 13,612
Joined: 13-July 06

Posted 19 March 2007 - 05:49 PM

Click on Start/Control Panel/Add or Remove Programs and remove BitDownload,then restart your pc.

****************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

Quote

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fcahsv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\help mail list setup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WaitGlue]

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete:
C:\WINDOWS\uni_eh10.exe
C:\WINDOWS\smdat32a.sys
C:\Program Files\need2find
C:\Program Files\BitDownload

****************************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

Post a new Hijackthis log into your next reply,let me know how your pc is running now please.

#12 Braxton

Member

Group: Members
Posts: 45
Joined: 12-March 07

Posted 19 March 2007 - 07:19 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:16:45 PM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ellen Klaas\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ellen Klaas\Application Data\Mozilla\Profiles\default\e2cejbrb.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {695B78FF-42C1-408A-9ADB-2030061FA94B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Seems to be running better. What should I do with all the programs that are saved to my desktop. Thanks again

#13 RichieUK

Malware Assassin

Group: Malware Response Team
Posts: 13,612
Joined: 13-July 06

Posted 19 March 2007 - 07:38 PM

Click on Start/Control Panel/Add or Remove Programs and remove AVG Anti-Spyware 7.5,then restart your pc.

Find and delete:
Combofix
fix.reg
HijackThis.exe

You should hang onto CleanUp,it's free and one of the best system cleaning tools out there.

****************************

Your log is clean :thumbsup:

If all's ok,please do the following:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

Read through the information found here,to help you prevent any possible future infections.
Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

#14 Braxton

Member

Group: Members
Posts: 45
Joined: 12-March 07

Posted 19 March 2007 - 09:10 PM

Thanks for all the help I will definitely be making a donation and will be passing the site along to everyone I know.

Greatly Appreciative
Braxton

#15 RichieUK

Malware Assassin

Group: Malware Response Team
Posts: 13,612
Joined: 13-July 06

Posted 20 March 2007 - 06:59 AM

You're most welcome Braxton,and thanks for the donation :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter.
Everyone else please begin a New Topic.