Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Still Have Yazzle On My Pc


  • This topic is locked This topic is locked
18 replies to this topic

#1 duellzy

duellzy

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 31 July 2006 - 04:54 PM

The other day i downloaded a keygen and got yazzleactivex on my pc.
I ran ad-aware se and deleted all that it listed but yazzle would not come off, so i got the auto removal thing and ran it in safemode. It cleard it from te "add-remove" list but i think its still hear because i keep getting pop up msges saying i still have ad-ware and spy-ware. one of them is for "winantivirus" witch i know is sketchy, because iv got a virus with that name before. i have ran all kinds of test and they cant find anything wrong. so im lost and dont know what to do. if anyone could help that would be great. heres my log:


Logfile of HijackThis v1.99.1
Scan saved at 1:59:05 PM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\{D42781CA-0448-1033-1114-010305170001}\Update.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Duell\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:10 AM

Posted 31 July 2006 - 04:59 PM

Hey there and welcome to BleepingComputer.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

* Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\Program Files\Common Files\{D42781CA-0448-1033-1114-010305170001}

Please now reboot back to normal mode. It is strange that there are no 02's or 020's in the log - a new infection is hiding these entries from a Hijackthis scan, so it means certain infections cannot be seen and are therefore hidden to the helper. Go to this folder where Hijackthis is kept and rename the hijackthis application to "analyse" by right clicking on the program and clicking "rename". Press enter, then open "analyse.exe" by double clicking and post a new Hijackthis log from the newly named application.

David

#3 duellzy

duellzy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 31 July 2006 - 05:28 PM

i deleted that folder in safemode, and renamed and ran hjt in normalmode.
If its any help, i use firefox browser. heres my new log:




Logfile of HijackThis v1.99.1
Scan saved at 3:23:39 PM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Documents and Settings\Duell\Desktop\analyse.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O2 - BHO: (no name) - {C3961AB3-BEA4-4106-ACAA-62DACBC4C8A8} - C:\WINDOWS\system32\mlljh.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\SYSTEM32\winrkq32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:10 AM

Posted 31 July 2006 - 05:35 PM

Hey there,

That's shown the infections now.
It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O2 - BHO: (no name) - {C3961AB3-BEA4-4106-ACAA-62DACBC4C8A8} - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\SYSTEM32\winrkq32.dll

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

2) Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less - Click OK
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right Click inside the listbox (white box) and click "add more files"
Copy and paste the 2 entries below into the top 2 boxes (no arrows):

--> C:\WINDOWS\system32\mlljh.dll
--> C:\WINDOWS\system32\hjllm.*

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

3) * Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\SYSTEM32\winrkq32.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes.

4) * Please download SmitfraudFix (by S!Ri)
  • Extract the content (a folder named SmitfraudFix) to your Desktop.
  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #1 - Search by typing 1, and press Enter.
  • A text file will appear, which lists infected files (if present).
  • Please copy/paste the content of that report into your next reply.
  • Note : process.exe is detected by some antivirus programs as a "RiskTool"; it is not a virus, but a program used to stop system processes.
5) Download Silent Runners and extract it to a new folder on your Desktop.
Run the Silent Runners.vbs file.
You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
This script is not malicious so please allow it.
A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.

6) Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

So please post back with:

1) New Hijackthis log
2) Silent Runners Log.
3) Uninstall Manager list.
4) Smitfraudfix log.

David

#5 duellzy

duellzy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 31 July 2006 - 06:30 PM

new hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 4:25:51 PM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Duell\Desktop\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDE8CF18-E8AA-493B-9B14-2FA8931754FB} - C:\WINDOWS\system32\mlljh.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


new silent runners log:


"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"{D42781CA-0448-1033-1114-010305170001}" = ""C:\Program Files\Common Files\{D42781CA-0448-1033-1114-010305170001}\Update.exe" mc-110-12-0000272" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AWMON" = ""C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"" ["Lavasoft Sweden"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{FDE8CF18-E8AA-493B-9B14-2FA8931754FB}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\mlljh.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! mlljh\DLLName = "C:\WINDOWS\system32\mlljh.dll" [null data]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Duell\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{20CCCFEC-D26F-4FFE-996B-388B39C8CCCA}\
"MenuText" = "Tri&xie Options..."
"CLSIDExtension" = "{20CCCFEC-D26F-4ffe-996B-388B39C8CCCA}"
-> {HKLM...CLSID} = "Trixie.CmdDispatch"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mscoree.DLL" [MS]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
NetLimiter, nlsvc, ""C:\Program Files\NetLimiter 2 Pro\nlsvc.exe"" ["Locktime Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 58 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 34 seconds.
---------- (total run time: 148 seconds)



uninstall-list:


Ad-Aware SE Plus
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Anti-Virus 7.0
BitTorrent 4.20.4
DefilerPak 1.22 (Remove Only)
Fallout
Fallout Tactics
Fallout2
GameSpy Arcade
Google Desktop Search
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office Professional Edition 2003
mIRC
Mozilla Firefox (1.5.0.5)
NetLimiter 2 Pro (remove only)
PowerDVD
Quake II
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Trixie
TuneUp Utilities 2006
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar



new smitfraudfix log:


SmitFraudFix v2.76

Scan done at 16:11:47.87, Mon 07/31/2006
Run from C:\Documents and Settings\Duell\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

C:\Documents and Settings\Duell\Application Data


Start Menu


C:\DOCUME~1\Duell\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}"


Scanning wininet.dll infection


End

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:10 AM

Posted 01 August 2006 - 03:30 AM

Hey there duellzy.
We've made good progress so far.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Did you run Vundofix for me (step 2)?
If not please run it, or if you did please post the log.

1) Please open the task manager and click on the processes button.
Look for an "update.exe" and click end process on it if you find it.
Please search and delete this folder:
C:\Program Files\Common Files\{D42781CA-0448-1033-1114-010305170001}

2) Now please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"{D42781CA-0448-1033-1114-010305170001}"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

3) Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

4) Once in Safe Mode, open the SmitfraudFix folder again.
  • Double-click smitfraudfix.cmd.
  • Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
  • The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
  • A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
  • The report can also be found at the root of the system drive, usually at C:\rapport.txt
  • Warning : running option #2 on a non infected computer will remove your Desktop background.
David

#7 duellzy

duellzy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 01 August 2006 - 05:55 PM

heres the rapport:


SmitFraudFix v2.76

Scan done at 15:44:52.40, Tue 08/01/2006
Run from C:\Documents and Settings\Duell\Desktop\hex\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismon.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End








and heres the vundofix log from yesterday:





VundoFix V5.1.6

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.6

Scan started at 3:49:06 PM 7/31/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe could not be stopped
Vundofix may not be able to delete some files that were found.

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.dll Could not be deleted.

Performing Repairs to the registry.
Done!

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:10 AM

Posted 02 August 2006 - 01:50 PM

Hey there duellzy,
Let's try an alternate fix.

* Download Combofix to your desktop. !! It is really important that combofix.exe is on your desktop, not somewhere else or not in a folder on your desktop.

Then go to start > run and copy and paste next command in the field:

"C:\Documents and Settings\Owner\Desktop\combofix.exe" /v mlljh.dll

Hit enter.
This should start the combofix.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#9 duellzy

duellzy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 02 August 2006 - 06:32 PM

combofix log:



(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


No infected files found
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-01 16:01:10 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-07-31 22:03:38 ( .D... ) "C:\Program Files\Lionhead Studios"
2006-07-31 18:09:50 ( .D... ) "C:\Program Files\Ubisoft"
2006-07-31 14:24:40 ( .D... ) "C:\Documents and Settings\Duell\Application Data\Sun"
2006-07-31 14:20:08 ( .D... ) "C:\Program Files\Java"
2006-07-31 14:19:56 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-29 13:13:22 573492 ( ..... ) "C:\WINDOWS\system32\mlljh.dll"
2006-07-29 12:43:02 13312 ( A.... ) "C:\WINDOWS\system32\e7cee74.exe"
2006-07-29 12:42:58 40973 ( ..SH. ) "C:\WINDOWS\system32\qomnlki.dll"
2006-07-25 19:24:04 ( .D... ) "C:\Program Files\GameSpy Arcade"
2006-07-24 17:31:08 ( .D... ) "C:\Program Files\Microsoft Games"
2006-07-19 00:50:12 ( .D... ) "C:\Documents and Settings\Duell\Application Data\Kazaa Lite"
2006-07-14 23:17:20 ( .D... ) "C:\Documents and Settings\Duell\Application Data\BitTorrent"
2006-07-14 23:08:02 ( .D... ) "C:\Program Files\BitTorrent"
2006-07-08 18:49:20 ( .D... ) "C:\Documents and Settings\Duell\Application Data\My Battle for Middle-earth Files"
2006-07-07 14:52:36 52736 ( A.... ) "C:\WINDOWS\ipuninst.exe"
2006-07-07 14:50:10 ( .D... ) "C:\Program Files\BlackIsle"
2006-07-06 12:38:26 ( .D... ) "C:\Program Files\Interplay"
2006-07-05 13:00:00 4 ( A.... ) "C:\WINDOWS\info147.sys"
2006-06-28 21:26:36 ( .D... ) "C:\Program Files\Common Files\Totem Shared"
2006-06-20 17:14:52 ( .D... ) "C:\Program Files\14 Degrees East"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-09 20:23:34 ( .D... ) "C:\Program Files\Microsoft ActiveSync"
2006-06-09 20:23:28 ( .D... ) "C:\Program Files\Common Files\DESIGNER"
2006-06-09 20:22:56 ( .D... ) "C:\Program Files\Microsoft.NET"
2006-06-09 20:22:56 ( .D... ) "C:\Program Files\Microsoft Office"
2006-06-08 08:28:44 ( .D... ) "C:\Program Files\CyberLink"
2006-06-05 18:07:06 ( .D... ) "C:\Program Files\DefilerPak"
2006-06-01 11:50:06 249856 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-06-01 11:50:02 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-23 03:51:50 129536 ( A.... ) "C:\WINDOWS\system32\IJL15.dll"
2006-05-23 03:51:38 94208 ( A.... ) "C:\WINDOWS\system32\ScrUnZip.dll"
2006-05-19 05:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 05:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 05:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-09 00:08:46 21840 ( A.... ) "C:\WINDOWS\system32\SIntfNT.dll"
2006-05-09 00:08:46 17212 ( A.... ) "C:\WINDOWS\system32\SIntf32.dll"
2006-05-09 00:08:46 12067 ( A.... ) "C:\WINDOWS\system32\SIntf16.dll"
2006-05-03 19:51:26 34308 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-05-03 18:48:04 12288 ( A.... ) "C:\WINDOWS\avgntlog.dll"
2006-05-03 16:55:22 47564 ( A.SHR ) "C:\NTDETECT.COM"
2006-05-03 13:15:24 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-05-03 05:42:14 62 ( A.SH. ) "C:\Documents and Settings\Duell\Application Data\desktop.ini"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-01 04:08 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-08-01 04:08 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-08-01 04:08 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-08-01 04:07 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-08-01 04:07 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-08-01 04:07 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-08-01 04:07 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-08-01 04:07 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-08-01 04:07 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-08-01 04:07 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-08-01 04:07 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-08-01 04:07 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-31 22:03 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-31 16:10 53,248 C:\WINDOWS\system32\Process.exe
2006-07-31 16:10 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-31 16:10 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-31 16:10 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-31 14:21 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-31 14:21 49,248 C:\WINDOWS\system32\java.exe
2006-07-31 14:21 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-30 15:13 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-29 13:13 573,492 C:\WINDOWS\system32\mlljh.dll
2006-07-29 12:43 13,312 C:\WINDOWS\system32\e7cee74.exe
2006-07-29 12:42 40,973 C:\WINDOWS\system32\qomnlki.dll
2006-07-06 12:46 52,736 C:\WINDOWS\ipuninst.exe
2006-06-28 21:26 4 C:\WINDOWS\info147.sys
2006-06-19 16:20 702,768 C:\WINDOWS\system32\WgaLogon.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Watch.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Wed 08/02/2006 16:23:34.56
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-02.162300.txt



After that i rebooted my comp and ran HJT:



Logfile of HijackThis v1.99.1
Scan saved at 4:28:13 PM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Duell\Desktop\hex\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {613019BE-0A68-4340-8D5D-FE9466AC7201} - C:\WINDOWS\system32\mlljh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Edited by duellzy, 02 August 2006 - 06:33 PM.


#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:10 AM

Posted 03 August 2006 - 02:14 PM

Hey duellzy

I apologise, but I got the last step slightly wrong.
I've checked and the command I asked you to paste was slightly wrong.
We need to therefore repeat a step.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\e7cee74.exe
C:\WINDOWS\system32\qomnlki.dll
C:\WINDOWS\ipuninst.exe
C:\WINDOWS\info147.sys


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

2) Go to start > run and copy and paste next command in the field:

"C:\Documents and Settings\Owner\Desktop\combofix.exe" /v mlljh

Hit enter.
This should start the combofix.

Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#11 duellzy

duellzy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 03 August 2006 - 11:39 PM

combofix:



(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


No infected files found
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-01 16:01:10 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-07-31 22:03:38 ( .D... ) "C:\Program Files\Lionhead Studios"
2006-07-31 18:09:50 ( .D... ) "C:\Program Files\Ubisoft"
2006-07-31 14:24:40 ( .D... ) "C:\Documents and Settings\Duell\Application Data\Sun"
2006-07-31 14:20:08 ( .D... ) "C:\Program Files\Java"
2006-07-31 14:19:56 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-29 13:13:22 573492 ( ..... ) "C:\WINDOWS\system32\mlljh.dll"
2006-07-29 12:43:02 13312 ( A.... ) "C:\WINDOWS\system32\e7cee74.exe"
2006-07-29 12:42:58 40973 ( ..SH. ) "C:\WINDOWS\system32\qomnlki.dll"
2006-07-25 19:24:04 ( .D... ) "C:\Program Files\GameSpy Arcade"
2006-07-24 17:31:08 ( .D... ) "C:\Program Files\Microsoft Games"
2006-07-19 00:50:12 ( .D... ) "C:\Documents and Settings\Duell\Application Data\Kazaa Lite"
2006-07-14 23:17:20 ( .D... ) "C:\Documents and Settings\Duell\Application Data\BitTorrent"
2006-07-14 23:08:02 ( .D... ) "C:\Program Files\BitTorrent"
2006-07-08 18:49:20 ( .D... ) "C:\Documents and Settings\Duell\Application Data\My Battle for Middle-earth Files"
2006-07-07 14:52:36 52736 ( A.... ) "C:\WINDOWS\ipuninst.exe"
2006-07-07 14:50:10 ( .D... ) "C:\Program Files\BlackIsle"
2006-07-06 12:38:26 ( .D... ) "C:\Program Files\Interplay"
2006-07-05 13:00:00 4 ( A.... ) "C:\WINDOWS\info147.sys"
2006-06-28 21:26:36 ( .D... ) "C:\Program Files\Common Files\Totem Shared"
2006-06-20 17:14:52 ( .D... ) "C:\Program Files\14 Degrees East"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-09 20:23:34 ( .D... ) "C:\Program Files\Microsoft ActiveSync"
2006-06-09 20:23:28 ( .D... ) "C:\Program Files\Common Files\DESIGNER"
2006-06-09 20:22:56 ( .D... ) "C:\Program Files\Microsoft.NET"
2006-06-09 20:22:56 ( .D... ) "C:\Program Files\Microsoft Office"
2006-06-08 08:28:44 ( .D... ) "C:\Program Files\CyberLink"
2006-06-05 18:07:06 ( .D... ) "C:\Program Files\DefilerPak"
2006-06-01 11:50:06 249856 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-06-01 11:50:02 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-23 03:51:50 129536 ( A.... ) "C:\WINDOWS\system32\IJL15.dll"
2006-05-23 03:51:38 94208 ( A.... ) "C:\WINDOWS\system32\ScrUnZip.dll"
2006-05-19 05:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 05:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 05:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-09 00:08:46 21840 ( A.... ) "C:\WINDOWS\system32\SIntfNT.dll"
2006-05-09 00:08:46 17212 ( A.... ) "C:\WINDOWS\system32\SIntf32.dll"
2006-05-09 00:08:46 12067 ( A.... ) "C:\WINDOWS\system32\SIntf16.dll"
2006-05-03 19:51:26 34308 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-05-03 18:48:04 12288 ( A.... ) "C:\WINDOWS\avgntlog.dll"
2006-05-03 16:55:22 47564 ( A.SHR ) "C:\NTDETECT.COM"
2006-05-03 13:15:24 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-05-03 05:42:14 62 ( A.SH. ) "C:\Documents and Settings\Duell\Application Data\desktop.ini"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-01 04:08 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-08-01 04:08 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-08-01 04:08 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-08-01 04:07 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-08-01 04:07 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-08-01 04:07 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-08-01 04:07 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-08-01 04:07 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-08-01 04:07 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-08-01 04:07 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-08-01 04:07 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-08-01 04:07 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-31 22:03 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-31 16:10 53,248 C:\WINDOWS\system32\Process.exe
2006-07-31 16:10 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-31 16:10 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-31 16:10 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-31 14:21 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-31 14:21 49,248 C:\WINDOWS\system32\java.exe
2006-07-31 14:21 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-30 15:13 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-29 13:13 573,492 C:\WINDOWS\system32\mlljh.dll
2006-07-29 12:43 13,312 C:\WINDOWS\system32\e7cee74.exe
2006-07-29 12:42 40,973 C:\WINDOWS\system32\qomnlki.dll
2006-07-06 12:46 52,736 C:\WINDOWS\ipuninst.exe
2006-06-28 21:26 4 C:\WINDOWS\info147.sys
2006-06-19 16:20 702,768 C:\WINDOWS\system32\WgaLogon.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Watch.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Wed 08/02/2006 16:23:34.56
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-02.162300.txt



HJT:





Logfile of HijackThis v1.99.1
Scan saved at 9:35:03 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Documents and Settings\Duell\Desktop\hex\analyse.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {427F5CF6-2B2B-4EAA-BD09-E44E4E07100E} - C:\WINDOWS\system32\mlljh.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:10 AM

Posted 04 August 2006 - 03:27 AM

Heya duellzy.

Did you follow the instructions in the last post?
I think you did but you posted the wrong combofix log.
I can't tell as you didn't post the whole log with the time made at the top.
Go to your C:\ and delete any Combofix logs there.
The look like this --> "
ComboFix.2006-08-04.092349.txt"

Now please repeat all the insuctions in my previous post to you (Post #10), including running killbox again.
You shoud post back with the whole Combofix log and a new Hijackthis log.

Sorry for the confusion here,
David

#13 duellzy

duellzy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 04 August 2006 - 09:07 PM

lol, this is crazy
u said to tell u if any prompt showed up on killbox.. there was one

combofix:



(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


No infected files found
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-02 22:54:28 ( .D... ) "C:\Documents and Settings\Duell\Application Data\Petroglyph"
2006-08-02 21:03:10 ( .D... ) "C:\Program Files\LucasArts"
2006-08-01 16:01:10 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-07-31 22:03:38 ( .D... ) "C:\Program Files\Lionhead Studios"
2006-07-31 18:09:50 ( .D... ) "C:\Program Files\Ubisoft"
2006-07-31 14:24:40 ( .D... ) "C:\Documents and Settings\Duell\Application Data\Sun"
2006-07-31 14:20:08 ( .D... ) "C:\Program Files\Java"
2006-07-31 14:19:56 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-29 13:13:22 573492 ( ..... ) "C:\WINDOWS\system32\mlljh.dll"
2006-07-25 19:24:04 ( .D... ) "C:\Program Files\GameSpy Arcade"
2006-07-24 17:31:08 ( .D... ) "C:\Program Files\Microsoft Games"
2006-07-19 00:50:12 ( .D... ) "C:\Documents and Settings\Duell\Application Data\Kazaa Lite"
2006-07-14 23:17:20 ( .D... ) "C:\Documents and Settings\Duell\Application Data\BitTorrent"
2006-07-14 23:08:02 ( .D... ) "C:\Program Files\BitTorrent"
2006-07-08 18:49:20 ( .D... ) "C:\Documents and Settings\Duell\Application Data\My Battle for Middle-earth Files"
2006-07-07 14:50:10 ( .D... ) "C:\Program Files\BlackIsle"
2006-07-06 12:38:26 ( .D... ) "C:\Program Files\Interplay"
2006-06-28 21:26:36 ( .D... ) "C:\Program Files\Common Files\Totem Shared"
2006-06-20 17:14:52 ( .D... ) "C:\Program Files\14 Degrees East"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-09 20:23:34 ( .D... ) "C:\Program Files\Microsoft ActiveSync"
2006-06-09 20:23:28 ( .D... ) "C:\Program Files\Common Files\DESIGNER"
2006-06-09 20:22:56 ( .D... ) "C:\Program Files\Microsoft.NET"
2006-06-09 20:22:56 ( .D... ) "C:\Program Files\Microsoft Office"
2006-06-08 08:28:44 ( .D... ) "C:\Program Files\CyberLink"
2006-06-05 18:07:06 ( .D... ) "C:\Program Files\DefilerPak"
2006-06-01 11:50:06 249856 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-06-01 11:50:02 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-23 03:51:50 129536 ( A.... ) "C:\WINDOWS\system32\IJL15.dll"
2006-05-23 03:51:38 94208 ( A.... ) "C:\WINDOWS\system32\ScrUnZip.dll"
2006-05-19 05:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 05:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 05:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-09 00:08:46 21840 ( A.... ) "C:\WINDOWS\system32\SIntfNT.dll"
2006-05-09 00:08:46 17212 ( A.... ) "C:\WINDOWS\system32\SIntf32.dll"
2006-05-09 00:08:46 12067 ( A.... ) "C:\WINDOWS\system32\SIntf16.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-01 04:08 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-08-01 04:08 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-08-01 04:08 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-08-01 04:07 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-08-01 04:07 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-08-01 04:07 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-08-01 04:07 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-08-01 04:07 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-08-01 04:07 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-08-01 04:07 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-08-01 04:07 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-08-01 04:07 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-31 22:03 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-31 16:10 53,248 C:\WINDOWS\system32\Process.exe
2006-07-31 16:10 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-31 16:10 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-31 16:10 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-31 14:21 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-31 14:21 49,248 C:\WINDOWS\system32\java.exe
2006-07-31 14:21 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-30 15:13 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-29 13:13 573,492 C:\WINDOWS\system32\mlljh.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Watch.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Fri 08/04/2006 19:01:55.89
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt



HJT:



Logfile of HijackThis v1.99.1
Scan saved at 7:02:41 PM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Duell\Desktop\hex\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E7D9CA70-5657-4909-A81E-0F9E67E864C2} - C:\WINDOWS\system32\mlljh.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:10 AM

Posted 05 August 2006 - 02:18 AM

Ok, that's good thanks.
You have a stubbourn Vundo infection.

Download VirtumundoBeGone.
Save it to your desktop, and reboot your System
Close all running programs (including your Internet Browser)
Double-click "VirtumundoBeGone.exe" on the desktop
Follow the directions as indicated.
The program will generate a "Blue Screen of Death".
This is an expected part of the process, so don't be concerned when it happens.
The program generates a log, which it should have placed on your Desktop
Copy & paste the VirtumundoBeGone log back here together with a new hijackthislog.

David

#15 duellzy

duellzy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 05 August 2006 - 03:53 PM

VBG:



[08/05/2006, 13:42:22] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Duell\Desktop\VirtumundoBeGone.exe" )
[08/05/2006, 13:42:31] - Detected System Information:
[08/05/2006, 13:42:31] - Windows Version: 5.1.2600, Service Pack 2
[08/05/2006, 13:42:31] - Current Username: Duell (Admin)
[08/05/2006, 13:42:31] - Windows is in NORMAL mode.
[08/05/2006, 13:42:31] - Searching for Browser Helper Objects:
[08/05/2006, 13:42:31] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[08/05/2006, 13:42:31] - BHO 2: {2B876D97-3528-430A-9E61-C8F5F9C9AA11} ()
[08/05/2006, 13:42:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/05/2006, 13:42:31] - Checking for HKLM\...\Winlogon\Notify\mlljh
[08/05/2006, 13:42:31] - Found: HKLM\...\Winlogon\Notify\mlljh - This is probably Virtumundo.
[08/05/2006, 13:42:31] - Assigning {2B876D97-3528-430A-9E61-C8F5F9C9AA11} MSEvents Object
[08/05/2006, 13:42:31] - BHO list has been changed! Starting over...
[08/05/2006, 13:42:31] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[08/05/2006, 13:42:31] - BHO 2: {2B876D97-3528-430A-9E61-C8F5F9C9AA11} (MSEvents Object)
[08/05/2006, 13:42:31] - ALERT: Found MSEvents Object!
[08/05/2006, 13:42:31] - BHO 3: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[08/05/2006, 13:42:31] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/05/2006, 13:42:31] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/05/2006, 13:42:31] - Finished Searching Browser Helper Objects
[08/05/2006, 13:42:31] - *** Detected MSEvents Object
[08/05/2006, 13:42:31] - Trying to remove MSEvents Object...
[08/05/2006, 13:42:32] - Terminating Process: IEXPLORE.EXE
[08/05/2006, 13:42:33] - Terminating Process: RUNDLL32.EXE
[08/05/2006, 13:42:33] - Disabling Automatic Shell Restart
[08/05/2006, 13:42:33] - Terminating Process: EXPLORER.EXE
[08/05/2006, 13:42:33] - Suspending the NT Session Manager System Service
[08/05/2006, 13:42:33] - Terminating Windows NT Logon/Logoff Manager
[08/05/2006, 13:47:35] - Re-enabling Automatic Shell Restart
[08/05/2006, 13:47:35] - File to disable: C:\WINDOWS\system32\mlljh.dll
[08/05/2006, 13:47:35] - Renaming C:\WINDOWS\system32\mlljh.dll -> C:\WINDOWS\system32\mlljh.dll.vir
[08/05/2006, 13:47:35] - File successfully renamed!
[08/05/2006, 13:47:35] - Removing HKLM\...\Browser Helper Objects\{2B876D97-3528-430A-9E61-C8F5F9C9AA11}
[08/05/2006, 13:47:35] - Removing HKCR\CLSID\{2B876D97-3528-430A-9E61-C8F5F9C9AA11}
[08/05/2006, 13:47:35] - Adding Kill Bit for ActiveX for GUID: {2B876D97-3528-430A-9E61-C8F5F9C9AA11}
[08/05/2006, 13:47:35] - Deleting ATLEvents/MSEvents Registry entries
[08/05/2006, 13:47:35] - Removing HKLM\...\Winlogon\Notify\mlljh
[08/05/2006, 13:47:35] - Searching for Browser Helper Objects:
[08/05/2006, 13:47:35] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[08/05/2006, 13:47:35] - BHO 2: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[08/05/2006, 13:47:35] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/05/2006, 13:47:35] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/05/2006, 13:47:35] - Finished Searching Browser Helper Objects
[08/05/2006, 13:47:35] - Finishing up...
[08/05/2006, 13:47:35] - A restart is needed.
[08/05/2006, 13:47:51] - Attempting to Restart via STOP error (Blue Screen!)


HJT:



Logfile of HijackThis v1.99.1
Scan saved at 1:50:09 PM, on 8/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Documents and Settings\Duell\Desktop\hex\analyse.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users