Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Novice Here With Fresh Hjt Log


  • This topic is locked This topic is locked
9 replies to this topic

#1 rogue55

rogue55

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 29 November 2007 - 04:52 PM

Well, my employer is too cheep to include virus protection on my work comp. I can barely navigate my billing program, which is online by the way, without all these pop ups and redirects. I have run ad-aware 07: it finds spy cookies all the time, spybot search and destroy: it comes up empty all day today, bit defender has found "ngwpniwl.dll" but it cannot delete it, and mcafee stinger has found nothing either. There are two others I know of, "jkhhg.dll" and "vtsttqq.dll" that I have looked up online to discover they are viruses but I cannot delete them even in safe mode using autoruns. They just recreate themselves. Any help would be appreciated. I am sure there are probably more viruses that i don't know about. Also, I am not too familiar with this kind of advanced computer work. Thanks for your help and patience. Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:16 PM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\stsystra.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Support.com\bin\tgcmd.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://69.94.26.203/H0100001.jsp
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {039CB81E-DF81-4197-8DF1-BBFCF27E8BB5} - D:\WINDOWS\system32\ngwpniwl.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {08DC7CD4-4533-457B-BE71-EA6C26939347} - D:\WINDOWS\system32\jkhhg.dll
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - D:\WINDOWS\system32\vtsttqq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {228b6521-b9e0-9099-c464-fbe59035028d} - {d8205309-5ebf-464c-9909-0e9b1256b822} - D:\WINDOWS\system32\urffbahb.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - D:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [UIUCU] D:\DOCUME~1\CPC\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [1c5b0f4d] rundll32.exe "D:\WINDOWS\system32\lsxyiton.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: AutorunsDisabled - D:\WINDOWS\
O20 - Winlogon Notify: vtsttqq - D:\WINDOWS\SYSTEM32\vtsttqq.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 4479 bytes

BC AdBot (Login to Remove)

 


#2 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:03 PM

Posted 29 November 2007 - 05:24 PM

Welcome to the forums!

You are infected!

I notice that you do not seem to be running Antivirus software.

Download one of these:

I suggest -->Avira AVG OR Active Virus shield? (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously

Perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again.
After reboot, post a new HijackThislog in your next.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#3 rogue55

rogue55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 30 November 2007 - 08:53 AM

okay, I have avira running now. Do I need to get rid of either zone alarm firewall, ad-aware 07, or spybot search and destroy? Are those programs interfereing with each other or with avira anti-virus? Here is my new hjt log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:43 AM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\stsystra.exe
D:\DOCUME~1\CPC\LOCALS~1\Temp\UIUCU.EXE
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Support.com\bin\tgcmd.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://69.94.26.203/H0100001.jsp
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {039CB81E-DF81-4197-8DF1-BBFCF27E8BB5} - D:\WINDOWS\system32\ngwpniwl.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {08DC7CD4-4533-457B-BE71-EA6C26939347} - D:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - D:\WINDOWS\system32\vtsttqq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {228b6521-b9e0-9099-c464-fbe59035028d} - {d8205309-5ebf-464c-9909-0e9b1256b822} - D:\WINDOWS\system32\urffbahb.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - D:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [UIUCU] D:\DOCUME~1\CPC\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [1c5b0f4d] rundll32.exe "D:\WINDOWS\system32\lsxyiton.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: AutorunsDisabled - D:\WINDOWS\
O20 - Winlogon Notify: vtsttqq - D:\WINDOWS\SYSTEM32\vtsttqq.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 5110 bytes

#4 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:03 PM

Posted 01 December 2007 - 09:52 AM

If you have a firewall, that is good. Keep it like that, Ad-Ware 2007 is a spyware cleaner, so you can not compensate it with Zonealarm Firewall.

Next, i would like you to do this:

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#5 rogue55

rogue55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 03 December 2007 - 08:02 AM

Vundofix closed when I asked it to remove vundo. Its said no infected files where found, huh? Here is the vundofix.txt and the new hjt log... I really appreciate this!


VundoFix V6.7.0

Checking Java version...

Sun Java not detected
Scan started at 7:36:59 AM 12/3/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

----------------------------------------------------------------------------------------I added this---------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:26 AM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\stsystra.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Support.com\bin\tgcmd.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://69.94.26.203/H0100001.jsp
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {039CB81E-DF81-4197-8DF1-BBFCF27E8BB5} - D:\WINDOWS\system32\ngwpniwl.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {08DC7CD4-4533-457B-BE71-EA6C26939347} - D:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - D:\WINDOWS\system32\vtsttqq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {228b6521-b9e0-9099-c464-fbe59035028d} - {d8205309-5ebf-464c-9909-0e9b1256b822} - D:\WINDOWS\system32\urffbahb.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - D:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [UIUCU] D:\DOCUME~1\CPC\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [1c5b0f4d] rundll32.exe "D:\WINDOWS\system32\lsxyiton.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: AutorunsDisabled - D:\WINDOWS\
O20 - Winlogon Notify: vtsttqq - D:\WINDOWS\SYSTEM32\vtsttqq.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 5060 bytes

#6 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:03 PM

Posted 04 December 2007 - 02:56 PM

Hello!

We have things to do.

( 1 )

Please see HERE how to disable Spybot Teatimer.

Disable Ad-Aware temporary

Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
  • Active: This will turn Ad-Watch On\Off without closing it
  • Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes.

||

Please open HiJackThis and scan. Check the boxes next to all the entries listed below:

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {039CB81E-DF81-4197-8DF1-BBFCF27E8BB5} - D:\WINDOWS\system32\ngwpniwl.dll (file missing)
O2 - BHO: (no name) - {08DC7CD4-4533-457B-BE71-EA6C26939347} - D:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - D:\WINDOWS\system32\vtsttqq.dll
O4 - HKLM\..\Run: [1c5b0f4d] rundll32.exe "D:\WINDOWS\system32\lsxyiton.dll",b
O20 - Winlogon Notify: AutorunsDisabled - D:\WINDOWS\
O20 - Winlogon Notify: vtsttqq - D:\WINDOWS\SYSTEM32\vtsttqq.dll


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

( 2 )

Next, Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop

@echo off
attrib -s -r -h "D:\WINDOWS\system32\ngwpniwl.dll"
del /q "D:\WINDOWS\system32\ngwpniwl.dll"
attrib -s -r -h "D:\WINDOWS\system32\jkhhg.dll"
del /q "D:\WINDOWS\system32\jkhhg.dll "
attrib -s -r -h " D:\WINDOWS\system32\vtsttqq.dll"
del /q " D:\WINDOWS\system32\vtsttqq.dll"
attrib -s -r -h "D:\WINDOWS\system32\lsxyiton.dll"
del /q "D:\WINDOWS\system32\lsxyiton.dll"
quit


Now double click fixthis.bat on your desktop. A screen should flash and disappear.

( 3 )

Please download Deckard's System Scanner (DSS) to your desktop.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - Main.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
  • A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
  • Please also copy the contents of Extra.txt to your post as well.
  • Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
  • What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#7 rogue55

rogue55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 05 December 2007 - 02:17 PM

alright, hopefully I did it all correctly. here is the main.txt :

Deckard's System Scanner v20071014.68
Run by CPC on 2007-12-05 14:08:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as CPC.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:12 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\stsystra.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Support.com\bin\tgcmd.exe
D:\WINDOWS\system32\wuauclt.exe
D:\dss.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\CPC.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://69.94.26.203/H0100001.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - D:\WINDOWS\system32\vtsttqq.dll
O2 - BHO: {228b6521-b9e0-9099-c464-fbe59035028d} - {d8205309-5ebf-464c-9909-0e9b1256b822} - D:\WINDOWS\system32\urffbahb.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - D:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [UIUCU] D:\DOCUME~1\CPC\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: vtsttqq - D:\WINDOWS\SYSTEM32\vtsttqq.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 4045 bytes

-- Files created between 2007-11-05 and 2007-12-05 -----------------------------

2007-12-05 14:07:22 686630 --a------ D:\dss.exe
2007-12-03 07:36:59 0 d-------- D:\VundoFix Backups <VUNDOF~1>
2007-12-03 07:36:46 130048 --a------ D:\VundoFix.exe <Not Verified; Atribune.org; VundoFix>
2007-11-30 08:20:31 0 d-------- D:\Program Files\Avira
2007-11-30 08:20:31 0 d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2007-11-30 07:49:50 0 d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2007-11-29 14:48:59 0 d-------- D:\Program Files\Trend Micro
2007-11-29 14:34:21 1953799 --a------ D:\stinger.exe <Not Verified; McAfee Inc.; McAfee Stinger>
2007-11-29 13:24:11 32 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2007-11-29 13:19:18 0 d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2007-11-29 13:19:13 4212 ---h----- D:\WINDOWS\system32\zllictbl.dat
2007-11-29 13:19:08 11264 --a------ D:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2007-11-29 13:18:50 0 d-------- D:\WINDOWS\system32\ZoneLabs
2007-11-29 13:18:00 0 d-------- D:\WINDOWS\Internet Logs
2007-11-29 12:57:06 0 d-------- D:\WINDOWS\BDOSCAN8
2007-11-29 10:34:26 77888 --a------ D:\WINDOWS\system32\urffbahb.dll
2007-11-29 10:33:32 0 d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-29 10:05:03 77888 --a------ D:\WINDOWS\system32\cvgrfirr.dll
2007-11-29 10:02:17 629643 ---hs---- D:\WINDOWS\system32\mlkkj.bak2
2007-11-28 07:25:17 6491 ---hs---- D:\WINDOWS\system32\mlkkj.bak1
2007-11-27 17:18:37 0 d-------- D:\Program Files\Lavasoft
2007-11-27 17:18:37 0 d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2007-11-27 17:17:49 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-11-27 11:16:32 0 d-------- D:\Autoruns
2007-11-27 10:43:19 0 d--h----- D:\Documents and Settings\Administrator.PPG\Templates
2007-11-27 10:43:19 0 dr------- D:\Documents and Settings\Administrator.PPG\Start Menu
2007-11-27 10:43:19 0 dr-h----- D:\Documents and Settings\Administrator.PPG\SendTo
2007-11-27 10:43:19 0 d--h----- D:\Documents and Settings\Administrator.PPG\Recent
2007-11-27 10:43:19 0 d--h----- D:\Documents and Settings\Administrator.PPG\PrintHood
2007-11-27 10:43:19 0 d--h----- D:\Documents and Settings\Administrator.PPG\NetHood
2007-11-27 10:43:19 0 d-------- D:\Documents and Settings\Administrator.PPG\My Documents
2007-11-27 10:43:19 0 d-------- D:\Documents and Settings\Administrator.PPG\Favorites
2007-11-27 10:43:19 0 d-------- D:\Documents and Settings\Administrator.PPG\Desktop
2007-11-27 10:43:19 0 d---s---- D:\Documents and Settings\Administrator.PPG\Cookies
2007-11-27 10:43:19 0 dr-h----- D:\Documents and Settings\Administrator.PPG\Application Data
2007-11-27 10:43:19 0 d---s---- D:\Documents and Settings\Administrator.PPG\Application Data\Microsoft
2007-11-27 10:43:18 524288 --ah----- D:\Documents and Settings\Administrator.PPG\NTUSER.DAT
2007-11-27 10:43:18 0 d--h----- D:\Documents and Settings\Administrator.PPG\Local Settings
2007-11-26 16:24:46 0 d-------- D:\PerfLogs
2007-11-26 15:54:02 0 d--h----- D:\WINDOWS\PIF
2007-11-26 07:38:13 633583 ---hs---- D:\WINDOWS\system32\ghhkj.bak2
2007-11-21 07:40:43 6465 ---hs---- D:\WINDOWS\system32\ghhkj.bak1
2007-11-20 14:26:07 36864 --a------ D:\WINDOWS\system32\vtsttqq.dll


-- Find3M Report ---------------------------------------------------------------

2007-12-05 07:23:26 8405015 --a------ D:\WINDOWS\TempFile
2007-10-31 11:51:48 0 d-------- D:\Documents and Settings\CPC\Application Data\Google
2007-10-31 11:18:00 0 d-------- D:\Program Files\Google
2007-10-25 10:26:48 53248 --a------ D:\WINDOWS\bdoscandel.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A54500A-65FE-4F4A-B860-20EAE2F577F9}]
11/20/2007 02:26 PM 36864 --a------ D:\WINDOWS\system32\vtsttqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8205309-5ebf-464c-9909-0e9b1256b822}]
11/29/2007 10:34 AM 77888 --a------ D:\WINDOWS\system32\urffbahb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [07/27/2006 02:19 PM D:\WINDOWS\stsystra.exe]
"UIUCU"="D:\DOCUME~1\CPC\LOCALS~1\Temp\UIUCU.exe" [10/30/2003 03:25 PM]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [08/23/2006 02:12 PM]
"nwiz"="nwiz.exe" [08/23/2006 02:12 PM D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [08/23/2006 02:12 PM]
"HPDJ Taskbar Utility"="D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [11/29/2007 01:01 PM]
"tgcmd"="D:\Program Files\Support.com\BellSouth\hcenter.exe" [08/31/2005 02:14 PM]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/06/2007 04:14 PM]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [11/30/2007 08:22 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4A54500A-65FE-4F4A-B860-20EAE2F577F9}"= D:\WINDOWS\system32\vtsttqq.dll [11/20/2007 02:26 PM 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsttqq]
vtsttqq.dll 11/20/2007 02:26 PM 36864 D:\WINDOWS\system32\vtsttqq.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2007-12-05 14:08:41 ------------


And Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3400+
Percentage of Memory in Use: 33%
Physical Memory (total/avail): 958.42 MiB / 639.39 MiB
Pagefile Memory (total/avail): 2218.87 MiB / 1931.83 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.23 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 19.52 GiB total, 16.53 GiB free.
D: is Fixed (FAT32) - 54.95 GiB total, 48.56 GiB free.
E: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - SAMSUNG HD080HJ/P - 74.5 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 19.53 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 54.96 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.408.000 (Check Point, LTD.)
AV: Avira AntiVir PersonalEdition v 7.0.1.46
(Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\\WINDOWS\\system32\\olpergcv.exe"="D:\\WINDOWS\\system32\\olp"
"D:\\WINDOWS\\system32\\sessmgr.exe"="D:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"D:\\WINDOWS\\system32\\bbtsacww.exe"="D:\\WINDOWS\\system32\\bbt"
"D:\\WINDOWS\\system32\\gxmhdbxk.exe"="D:\\WINDOWS\\system32\\gxm"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users.WINDOWS
APPDATA=D:\Documents and Settings\CPC\Application Data
Buffers=60
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=PPG
ComSpec=D:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\CPC
LOGONSERVER=\\PPG
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=D:\Program Files\Internet Explorer;;D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;c:\;c:\dos;c:\menu;c:\cyber;c:\supp;c:\ghost2;C:\Temp
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 95 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=5f02
ProgramFiles=D:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=C:\Temp
TMP=C:\Temp
tvdumpflags=8
USERDOMAIN=PPG
USERNAME=CPC
USERPROFILE=D:\Documents and Settings\CPC
windir=D:\WINDOWS


-- User Profiles ---------------------------------------------------------------

CPC (admin)
Administrator.PPG (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> D:\WINDOWS\ISUNINST.EXE -f"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Avira AntiVir PersonalEdition Classic --> D:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Basic Mixing --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{36BF8B43-2594-4F0B-AFA9-BF4C946007E6}\setup.exe" -l0x9 -removeonly
BellSouth Application Management --> D:\WINDOWS\Motive\BellSouth\UninstallAppManagement.exe
BellSouth FastAccess DSL Help Center --> "D:\Program Files\Support.com\BellSouth\Uninstall.exe" /c "Remove BellSouth® FastAccess® DSL Help Center?"
BellSouth Toolbar 1.0 --> D:\Program Files\blstoolbar\uninstall.exe -uninstall -prompt
Broadcom 440x 10/100 Integrated Controller --> MsiExec.exe /X{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}
Brother HL-5240 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{D722B1E2-A20F-4966-B88D-41A43CC44D4C}\SETUP.exe" -l0x9 -removeonly /uninst
Color Accurate (US SP61) --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{230CC2A9-28B9-4EDD-B901-FFC6AED00E08}\setup.exe" -l0x9 -removeonly
Hardlock Device Driver --> D:\WINDOWS\system32\UNWISE.EXE D:\WINDOWS\system32\HLDRV.LOG
Hardlock Device Drivers --> D:\WINDOWS\system32\UNWISE.EXE D:\WINDOWS\system32\HLDRV.LOG
High Definition Audio Driver Package - KB835221 --> D:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "D:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Macromedia Flash Player 8 --> D:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
NVIDIA Drivers --> D:\WINDOWS\system32\NVUNINST.EXE UninstallGUI
PaintManager --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{96C0AF62-E050-4D32-AEB5-036A2EB59ACE}\setup.exe" -l0x9 -removeonly
PPG Access Color --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{3C136C23-EA14-449E-AC15-C9A3565519AC}\Setup.exe"
Report Viewer --> MsiExec.exe /I{7D2B110E-C29D-4E9D-9C48-CA732C6BC880}
SigmaTel Audio --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Spybot - Search & Destroy --> "D:\Program Files\Spybot - Search & Destroy\unins000.exe"
ZoneAlarm --> D:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type964 / Error
Event Submitted/Written: 11/06/2007 08:09:08 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3262 / Error
Event Submitted/Written: 12/05/2007 07:23:33 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Parallel port driver service failed to start due to the following error:
%%1058

Event Record #/Type3245 / Error
Event Submitted/Written: 12/04/2007 07:45:38 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Parallel port driver service failed to start due to the following error:
%%1058

Event Record #/Type3229 / Error
Event Submitted/Written: 12/03/2007 07:21:42 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Parallel port driver service failed to start due to the following error:
%%1058

Event Record #/Type3213 / Error
Event Submitted/Written: 11/30/2007 08:48:49 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Parallel port driver service failed to start due to the following error:
%%1058

Event Record #/Type3182 / Error
Event Submitted/Written: 11/30/2007 07:24:03 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Parallel port driver service failed to start due to the following error:
%%1058



-- End of Deckard's System Scanner: finished at 2007-12-05 08:18:42 ------------

#8 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:03 PM

Posted 05 December 2007 - 02:58 PM

Please download Combofix to your desktop.
  • Double click on Combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#9 rogue55

rogue55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 05 December 2007 - 04:45 PM

ComboFix 07-12-02.6 - CPC 2007-12-05 16:27:28.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.612 [GMT -5:00]
Running from: D:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\All Users.WINDOWS\Application Data.\winantispyware 2007
D:\Documents and Settings\All Users.WINDOWS\Application Data.\winantispyware 2007\Data\Abbr
D:\Documents and Settings\All Users.WINDOWS\Application Data.\winantispyware 2007\Data\ProductCode
D:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007\Data\Abbr
D:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007\Data\ProductCode
D:\Documents and Settings\CPC\Application Data\WinAntiSpyware 2007
D:\Documents and Settings\CPC\Application Data\WinAntiSpyware 2007\Logs\update.log
D:\Program Files\Common Files\winantispyware 2007
D:\Program Files\Common Files\WinAntiSpyware 2007\err.log
D:\Program Files\outerinfo
D:\Program Files\outerinfo\Terms.rtf
D:\WINDOWS\cookies.ini
D:\WINDOWS\msettings.ini
D:\WINDOWS\system32\boa.dat
D:\WINDOWS\system32\cvgrfirr.dll
D:\WINDOWS\system32\dn1067627e.dat
D:\WINDOWS\system32\drivers\4_stars.gif
D:\WINDOWS\system32\drivers\5_stars.gif
D:\WINDOWS\system32\drivers\alert_icon.gif
D:\WINDOWS\system32\drivers\buy_btn.gif
D:\WINDOWS\system32\drivers\close_icon.gif
D:\WINDOWS\system32\drivers\detect.htm
D:\WINDOWS\system32\drivers\download_btn.gif
D:\WINDOWS\system32\drivers\features.gif
D:\WINDOWS\system32\drivers\header_bg.gif
D:\WINDOWS\system32\drivers\icon_warning.gif
D:\WINDOWS\system32\drivers\logo_bg.gif
D:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
D:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
D:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
D:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
D:\WINDOWS\system32\drivers\protect.gif
D:\WINDOWS\system32\drivers\pt.htm
D:\WINDOWS\system32\drivers\remove_spyware_button.gif
D:\WINDOWS\system32\drivers\s_detect.htm
D:\WINDOWS\system32\drivers\secuity_center_logo.gif
D:\WINDOWS\system32\drivers\spy_away_box.jpg
D:\WINDOWS\system32\drivers\spy_away_box_small.jpg
D:\WINDOWS\system32\drivers\spy_away_header.gif
D:\WINDOWS\system32\drivers\spy_away_header_small.gif
D:\WINDOWS\system32\drivers\users_rating.gif
D:\WINDOWS\system32\drivers\v.gif
D:\WINDOWS\system32\drivers\x.gif
D:\WINDOWS\system32\ghhkj.bak1
D:\WINDOWS\system32\ghhkj.bak2
D:\WINDOWS\system32\ghhkj.ini
D:\WINDOWS\system32\gtv_sd.bin
D:\WINDOWS\system32\mlkkj.bak1
D:\WINDOWS\system32\mlkkj.bak2
D:\WINDOWS\system32\mlkkj.ini
D:\WINDOWS\system32\sl.bin
D:\WINDOWS\system32\urffbahb.dll
D:\WINDOWS\system32\vtsttqq.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-05 16:25 . 2007-12-05 16:25 1,540,906 --a------ D:\ComboFix.exe
2007-12-05 14:07 . 2007-12-05 08:16 686,630 --a------ D:\dss.exe
2007-12-05 08:16 . 2007-12-05 08:17 <DIR> d-------- D:\Deckard
2007-12-03 07:36 . 2007-12-03 07:37 <DIR> d-------- D:\VundoFix Backups
2007-12-03 07:36 . 2007-12-03 07:36 130,048 --a------ D:\VundoFix.exe
2007-11-30 08:20 . 2007-11-30 08:20 <DIR> d-------- D:\Program Files\Avira
2007-11-30 08:20 . 2007-11-30 08:20 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2007-11-30 07:52 . 2007-11-30 07:49 636,192 --a------ D:\DMSetup.exe
2007-11-30 07:49 . 2007-11-30 07:49 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2007-11-29 14:48 . 2007-11-29 14:49 <DIR> d-------- D:\Program Files\Trend Micro
2007-11-29 14:48 . 2007-11-29 14:48 812,344 --a------ D:\HJTInstall.exe
2007-11-29 14:43 . 2007-11-29 14:43 22 --a------ D:\stinger.opt
2007-11-29 14:34 . 2007-11-29 14:34 1,953,799 --a------ D:\stinger.exe
2007-11-29 13:24 . 2007-12-05 16:33 32 --ahs---- D:\WINDOWS\system32\drivers\fidbox.idx
2007-11-29 13:24 . 2007-12-05 16:33 32 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2007-11-29 13:19 . 2007-11-29 13:19 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2007-11-29 13:19 . 2007-09-06 16:14 75,248 --a------ D:\WINDOWS\zllsputility.exe
2007-11-29 13:19 . 2004-04-27 04:40 11,264 --a------ D:\WINDOWS\system32\SpOrder.dll
2007-11-29 13:19 . 2007-11-29 13:20 4,212 ---h----- D:\WINDOWS\system32\zllictbl.dat
2007-11-29 13:16 . 2007-11-29 13:16 210,416 --a------ D:\zaSetup_en.exe
2007-11-29 12:57 . 2007-11-29 12:57 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2007-11-29 10:34 . 2007-11-29 12:55 801,024 ---hs---- D:\WINDOWS\system32\notiyxsl.ini
2007-11-29 10:33 . 2007-11-29 10:33 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-29 10:05 . 2007-11-29 10:30 800,946 ---hs---- D:\WINDOWS\system32\qkdagset.ini
2007-11-27 17:20 . 2007-11-29 07:29 784,392 ---hs---- D:\WINDOWS\system32\cssmwjpl.ini
2007-11-27 17:18 . 2007-11-27 17:18 <DIR> d-------- D:\Program Files\Lavasoft
2007-11-27 17:18 . 2007-11-27 17:18 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2007-11-27 17:17 . 2007-11-27 17:17 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-11-27 17:17 . 2007-11-27 17:17 7,467,056 --a------ D:\spybotsd15.exe
2007-11-27 17:12 . 2007-11-27 17:12 21,216,112 --a------ D:\aaw2007.exe
2007-11-27 11:16 . 2007-11-27 11:16 <DIR> d-------- D:\Autoruns
2007-11-27 11:15 . 2007-11-27 11:15 496,226 --a------ D:\Autoruns.zip
2007-11-27 07:41 . 2007-11-27 10:48 474 ---hs---- D:\WINDOWS\system32\rxxnxrkd.ini
2007-11-26 16:24 . 2007-11-26 16:24 <DIR> d-------- D:\PerfLogs
2007-11-26 15:54 . 2007-11-26 15:54 <DIR> d--h----- D:\WINDOWS\PIF
2007-11-26 07:41 . 2007-11-27 06:29 354 ---hs---- D:\WINDOWS\system32\somiugqi.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 16:18 --------- d-----w D:\Program Files\Google
2007-10-26 03:36 8,454,656 ------w D:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 15:26 53,248 ----a-w D:\WINDOWS\bdoscandel.exe
2007-09-06 21:14 1,086,952 ----a-w D:\WINDOWS\system32\zpeng24.dll
2007-04-19 14:09 66,276 ----a-w D:\Program Files\INSTALL.LOG
2006-05-16 16:53 570,128 ----a-w D:\Program Files\Common Files\DAO350.DLL
2004-03-01 20:58 561,424 ----a-w D:\Program Files\Common Files\dao360.dll
2007-08-23 20:04 6,473 --sh--w D:\WINDOWS\system32\ayadd.bak1
2007-07-31 14:10 6,466 --sh--w D:\WINDOWS\system32\ilnmp.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 14:19 D:\WINDOWS\stsystra.exe]
"UIUCU"="D:\DOCUME~1\CPC\LOCALS~1\Temp\UIUCU.exe" []
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 12:00 D:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-08-23 14:12 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 12:00 D:\WINDOWS\system32\rundll32.exe]
"HPDJ Taskbar Utility"="D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2007-11-29 13:01]
"tgcmd"="D:\Program Files\Support.com\BellSouth\hcenter.exe" [2005-08-31 14:14]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-30 08:22]

R1 oxmep;OXPCI support driver;D:\WINDOWS\system32\DRIVERS\oxmep.sys
R1 oxmf;OXPCI Bus enumerator;D:\WINDOWS\system32\DRIVERS\oxmf.sys
R1 oxser;OX16C95x Serial port driver;D:\WINDOWS\system32\DRIVERS\oxser.sys
R3 akshasp;Aladdin HASP Key;D:\WINDOWS\system32\DRIVERS\akshasp.sys
R3 Oxmfuf;Filter driver for OX16PCI95x ports;D:\WINDOWS\system32\DRIVERS\oxmfuf.sys
S3 cbserial;Cyber Port Driver;D:\WINDOWS\system32\DRIVERS\cbserial.sys
S3 portmon2;Cyber20x Driver;D:\WINDOWS\system32\DRIVERS\portmon2.sys

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 16:35:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-05 16:36:44 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:39 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\stsystra.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Support.com\bin\tgcmd.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://69.94.26.203/H0100001.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - D:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [UIUCU] D:\DOCUME~1\CPC\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 4324 bytes

#10 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:03 PM

Posted 05 December 2007 - 05:24 PM

( 1 )

Open notepad and copy/paste the text in the quotebox below into it: ( Please make sure you copy everything in the code box )

File::

D:\WINDOWS\system32\ayadd.bak1
D:\WINDOWS\system32\ilnmp.bak1


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

( 2 )

Perform an online scan with Internet Explorer with Panda Online scanner

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

* If it finds any malware, it will offer you a report.
* Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan.n

Edited by Rahina Rescue, 05 December 2007 - 05:25 PM.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users