Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

G8dialer & Access Members Area


  • Please log in to reply
13 replies to this topic

#1 Superman

Superman

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 18 February 2006 - 11:24 AM

After lots of help I managed to remove the above virus but after 2 weeks of being clean it has come back. The popup "access members area" keeps appearing and G8dialer in local area connections. please help!

The hojack this log file is below:

Logfile of HijackThis v1.99.1
Scan saved at 16:21:01, on 18/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\lich.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Downloaded Program Files\gba1388.exe
C:\Documents and Settings\Coppice Gate\My Documents\Louise\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlhome.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlhome.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Register Online.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O4 - Global Startup: True Internet Color® Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlhome.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1388.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

BC AdBot (Login to Remove)

 


m

#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 19 February 2006 - 07:24 AM

Download this program:
submit files packer
past the list of files into the tool.

C:\WINDOWS\System32\lich.exe
C:\WINDOWS\Downloaded Program Files\gba1388.exe


It will create an archive with these files and a small log on the desktop.

Then please go to this forum: http://www.thespykiller.co.uk/forum/index.php?board=1.0
You don't need to be a member to upload the archive!
Just press new topic, fill in the needed details and just give a link to your HijackThis log topic at this forum & then press the browse button and then navigate to & select the archive on your computer, press Post to upload the file.

Then post back here with a link to the thread.

#3 Superman

Superman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 19 February 2006 - 11:51 AM

I have uploaded the files and the link is below:

http://www.thespykiller.co.uk/forum/index.php?topic=1184.0

Thanks

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 19 February 2006 - 01:34 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Scan again with HijackThis and check the following items:
O4 - HKLM\..\Run: [lich] lich.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1388.exe

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Then reboot your computer.

Step #2

Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold part:

C:\WINDOWS\System32\lich.exe
C:\WINDOWS\Downloaded Program Files\gba1388.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are
present!

Click the button: All Files (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer must reboot now.

Find and delete this folder :
C:\!Killbox <= this folder

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log in your next reply.

#5 Superman

Superman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 20 February 2006 - 01:33 PM

Ive "fixed" files

O4 - HKLM\..\Run: [lich] lich.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1388.exe

with Hijack this.

Deleted Files

C:\WINDOWS\System32\lich.exe
C:\WINDOWS\Downloaded Program Files\gba1388.exe

with Killbox and then deleted "killbox"

Run "cleanmgr" and checked as requested.

When running Panda Active Scan I ran it on "my computer" - is this correct?

Halfway through the scan it comes up with the message "you cannot create a new Microsoft outlook profile at this time. To create a new profile, open the control panel, doubleclick the mail icon, and then click show profiles". when you hit "ok" another message appears saying "No profiles have been created. To create a new profile, use the mail icon in the control panel" The scan said finished though with the following report


Incident Status Location

Dialer:dialer.flf Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\dba1305.exe
Dialer:dialer.fie Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\gba1402.exe
Adware:adware/cws.yexe Not disinfected C:\web.exe
Adware:adware/spywarestrike Not disinfected C:\WINDOWS\SYSTEM32\1024
Dialer:dialer.qi Not disinfected HKEY_CLASSES_ROOT\CLSID\{62160EEF-9D84-4C19-B7B8-6AC2526CD726}
Adware:adware/adultlt Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@mediaplex[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@serving-sys[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@mediaplex[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@serving-sys[2].txt
Virus:Trj/Lowzones.QG Not disinfected C:\Documents and Settings\Coppice Gate\Desktop\requested-files[2006-02-19_16_49].cab[lich.exe]
Spyware:Cookie/Adtech Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp
Spyware:Cookie/Adviva Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\dba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\dba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\gba1402.exe
Dialer:Dialer.FKS Not disinfected C:\WINDOWS\Downloaded Program Files\dba1305.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\dba1402.exe
Dialer:Dialer.DQF Not disinfected C:\WINDOWS\Downloaded Program Files\dba2218.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\gba1402.exe
Dialer:Dialer.RJ Not disinfected C:\WINDOWS\nackedgirls.exe
Adware:Adware/SpyAxe Not disinfected C:\WINDOWS\system32\1024\ldF5F2.tmp
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpCE63.tmp
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\ldCC8D.tmp


the HIJACKTHIS log is below

Logfile of HijackThis v1.99.1
Scan saved at 18:32:31, on 20/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Coppice Gate\My Documents\Louise\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlhome.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlhome.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Register Online.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O4 - Global Startup: True Internet Color® Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlhome.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 20 February 2006 - 02:05 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{62160EEF-9D84-4C19-B7B8-6AC2526CD726}]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
This is how the reg file must look afterwards: Posted Image

Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Then reboot your computer.

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #3

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Find and delete these files and folders (if they are still there):
C:\WINDOWS\SYSTEM32\1024 <= this folder
C:\web.exe <= this file
C:\WINDOWS\system32\ldCC8D.tmp <= this file
C:\WINDOWS\DOWNLOADED PROGRAM FILES\dba1305.exe <= this file
C:\WINDOWS\DOWNLOADED PROGRAM FILES\gba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\dba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\dba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\gba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\gba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\gba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\gba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\dba1305.exe <= this file
C:\WINDOWS\Downloaded Program Files\dba1402.exe <= this file
C:\WINDOWS\Downloaded Program Files\dba2218.exe <= this file
C:\WINDOWS\Downloaded Program Files\gba1402.exe <= this file
C:\WINDOWS\nackedgirls.exe <= this file
C:\WINDOWS\system32\1024\ldF5F2.tmp <= this file
C:\WINDOWS\system32\hpCE63.tmp <= this file



Reboot your computer normally.

Step #5

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

Edited by didom, 20 February 2006 - 02:05 PM.


#7 Superman

Superman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 20 February 2006 - 05:19 PM

PANDA scan report:


Incident Status Location

Dialer:dialer.flf Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\dba1305.exe
Dialer:dialer.fie Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\gba1402.exe
Dialer:dialer.qi Not disinfected HKEY_CLASSES_ROOT\CLSID\{8085E374-ACBB-42F9-873F-49EC7E244F97}
Adware:adware/adultlt Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@mediaplex[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@serving-sys[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@mediaplex[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@serving-sys[2].txt
Virus:Trj/Lowzones.QG Not disinfected C:\Documents and Settings\Coppice Gate\Desktop\requested-files[2006-02-19_16_49].cab[lich.exe]
Spyware:Cookie/Adtech Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp
Spyware:Cookie/Adviva Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\dba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\dba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\gba1402.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\gba1402.exe
Dialer:Dialer.FKS Not disinfected C:\WINDOWS\Downloaded Program Files\dba1305.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\dba1402.exe
Dialer:Dialer.DQF Not disinfected C:\WINDOWS\Downloaded Program Files\dba2218.exe
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\gba1402.exe
Dialer:Dialer.RJ Not disinfected C:\WINDOWS\nackedgirls.exe
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpCE63.tmp

HIJACK THIS log:

Logfile of HijackThis v1.99.1
Scan saved at 22:19:12, on 20/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Coppice Gate\My Documents\Louise\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlhome.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlhome.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Register Online.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O4 - Global Startup: True Internet Color® Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlhome.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 20 February 2006 - 05:40 PM

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{8085E374-ACBB-42F9-873F-49EC7E244F97} ]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
This is how the reg file must look afterwards: Posted Image

Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold part:

C:\WINDOWS\nackedgirls.exe
C:\WINDOWS\system32\hpCE63.tmp
C:\WINDOWS\DOWNLOADED PROGRAM FILES\dba1305.exe
C:\WINDOWS\Downloaded Program Files\dba2218.exe
C:\WINDOWS\Downloaded Program Files\gba1402.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dba1402.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gba1402.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\dba1402.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gba1402.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\dba1402.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gba1402.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gba1402.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\gba1402.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\gba1402.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\gba1402.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\gba1402.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are
present!

Click the button: All Files (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer must reboot now.

Find and delete this folder :
C:\!Killbox <= this folder

Download CCleaner and install it.

Start Ccleaner. click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right).

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log in your next reply.

Edited by didom, 20 February 2006 - 05:41 PM.


#9 Superman

Superman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 21 February 2006 - 12:27 PM

PANDA SCAN


Incident Status Location

Dialer:dialer.flf Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\dba1402.exe
Dialer:dialer.qi Not disinfected HKEY_CLASSES_ROOT\CLSID\{8085E374-ACBB-42F9-873F-49EC7E244F97}
Adware:adware/adultlt Not disinfected Windows Registry
Spyware:Cookie/Adtech Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp
Spyware:Cookie/Adviva Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp
Dialer:Dialer.FKY Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\gba1402.exe
Dialer:Dialer.FKY


HIJACK THIS SCAN LOG

Logfile of HijackThis v1.99.1
Scan saved at 17:26:16, on 21/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Coppice Gate\My Documents\Louise\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlhome.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlhome.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Register Online.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O4 - Global Startup: True Internet Color® Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlhome.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

#10 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 21 February 2006 - 02:57 PM

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{8085E374-ACBB-42F9-873F-49EC7E244F97}]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
This is how the reg file must look afterwards: Posted Image

Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Then reboot your computer.

Download Killbox to your desktop.
Click killbox.exe.
Select the option "Delete on reboot".
In the field labeled "Full Path of File to Delete" copy and paste next:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\dba1402.exe

Click the button: Single File (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that the listed file will be removed on next reboot and asks if you would like to Reboot now, click YES

Your computer must reboot now.

Find and delete this folder :
C:\!Killbox <= this folder
C:\Program Files\Yahoo!\YPSR\Quarantine <= the CONTENT of this folder

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log in your next reply.

Edited by didom, 21 February 2006 - 02:59 PM.


#11 Superman

Superman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 21 February 2006 - 04:07 PM

PANDA SCAN

Incident Status Location

Adware:adware/adultlt Not disinfected Windows Registry
Dialer:dialer.qi Not disinfected HKEY_CLASSES_ROOT\TypeLib\{9A9C9133-E640-4CA7-81C1-123FAC78855F}
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@mediaplex[1].txt
Dialer:Dialer.FKY Not disinfected C:\!KillBox\dba1402.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Coppice Gate\Cookies\coppice gate@mediaplex[1].txt
Dialer:Dialer.FKY


HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 21:07:14, on 21/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Coppice Gate\My Documents\Louise\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlhome.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlhome.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Register Online.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O4 - Global Startup: True Internet Color® Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlhome.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

#12 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 21 February 2006 - 04:18 PM

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_CLASSES_ROOT\TypeLib\{9A9C9133-E640-4CA7-81C1-123FAC78855F}]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
This is how the reg file must look afterwards: Posted Image

Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Then reboot your computer.

Start Ccleaner. click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right).

Then reboot your computer and tell me how your computer is running

#13 Superman

Superman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 21 February 2006 - 04:27 PM

It seems to be running fine. no popups and the dialers is no longer there. :thumbsup:

thanks for your help.

what antivirus software would you recommend i install to stop this happening again?

#14 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 21 February 2006 - 04:30 PM

This log looks clean!
  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
  • This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

    Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

    Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

    This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. You are running Windows XP so get updated to SP-2

    Please post back if you are still having any problems....





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users