Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Im Infected, Help Me (not Sure What To Do


  • This topic is locked This topic is locked
6 replies to this topic

#1 jace_xiong

jace_xiong

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 08 August 2006 - 08:15 PM

i know some of these virus (surfsidekick & command Service) and have tried to remove them, but kinda failed...and i am sure that there are others that i dont know about. I need help!!!

heres is my log (any kind of help is want and glady accepted)

Logfile of HijackThis v1.99.1
Scan saved at 6:06:37 PM, on 8/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Kg\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\{24D0AF96-07CD-1033-1031-030314030001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\PPPATC~1\taskmgr.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\YMANTE~1\RNDLL3~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Documents and Settings\Administrator\Desktop\spyware & adware remover software\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/divx6/new/en
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe,iwsfxra.exe
O2 - BHO: Vdrw Class - {8711CF54-E9C5-4DB4-9B9F-7D67393CC771} - C:\WINDOWS\system32\vf1v62x.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O2 - BHO: (no name) - {C059F45F-45B2-1734-B8C7-36B6DEE22A96} - C:\WINDOWS\system32\gsprd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\system32\iexplorer.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Rtta] "C:\WINDOWS\PPPATC~1\taskmgr.exe" -vt yazr
O4 - HKCU\..\Run: [Qrhpw] C:\DOCUME~1\ADMINI~1\APPLIC~1\YMANTE~1\RNDLL3~1.EXE
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154326894703
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {D5BA18F2-FF61-465F-831D-A6850B94FC01} - C:\WINDOWS\system32\vf1v62x.dll
O20 - AppInit_DLLs: repairs303169590.dll,ping.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Kg\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:14 PM

Posted 09 August 2006 - 04:42 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) You are missing one important program on that computer - an antivirus!
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer.
AVG and Avast are excellent, free antivirus programs..
Never install more than one antivirus on your system - several together can cause problems and decrease performance.

2) Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin, Yazzle by OIN, or anything similar with Oin in it.

Please run the uninstaller by using the tutorial found here:
http://www.outerinfo.com/howto.html
Then Reboot! (v.important)

3) Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

4) Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#3 jace_xiong

jace_xiong
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 09 August 2006 - 07:00 PM

ok i did all that you asked and it seems like eveythig working fine now...no more pop up so far :thumbsup:

heres are my logs...

(HiJackThis)

Logfile of HijackThis v1.99.1
Scan saved at 4:55:38 PM, on 8/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\spyware & adware remover software\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/divx6/new/en
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Vdrw Class - {8711CF54-E9C5-4DB4-9B9F-7D67393CC771} - C:\WINDOWS\system32\vf1v62x.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\system32\iexplorer.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154326894703
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {D5BA18F2-FF61-465F-831D-A6850B94FC01} - C:\WINDOWS\system32\vf1v62x.dll
O20 - AppInit_DLLs: ping.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



(Uninstall_List)

Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
AVG Free Edition
Azureus
BroadJump Client Foundation
BSPlayer
Camera Driver
Collab
Conquer 2.0
DivX
DivX Player
DivX Web Player
DM9XInst
Easy CD Creator 5 Basic
FL Studio 6
Forethought
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
K-Lite Mega Codec Pack 1.51
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Office XP Professional with FrontPage
MSN Messenger 7.5
MSN Music Assistant
NVIDIA Drivers
NVIDIA Windows 2000/XP Display Drivers
NvMixer
Quicklinks
SBC Self Support Tool
SBC Yahoo! Applications
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SoundMAX
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Wolfenstein - Enemy Territory
Wolfenstein: Enemy Territory


(Combofix)
Start Time= Wed 08/09/2006 16:53:33.85

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report

)))))))))))))))))))))))))))))))))))))))))))))))))))))


2080-01-26 15:38:52 62 ( A.SH. ) "C:\Documents and

Settings\Administrator\Application Data\desktop.ini"
2080-01-23 23:05:26 ( .D... ) "C:\Program Files\NVIDIA

Corporation"
2080-01-23 23:05:26 ( .D... ) "C:\Program Files\Common

Files\NVIDIA Shared"
2080-01-17 01:29:26 ( .D... ) "C:\Program Files\Common

Files\Adobe"
2080-01-17 01:28:32 ( .D... ) "C:\Program Files\Adobe"
2080-01-12 17:26:52 ( .D... ) "C:\Program Files\Common

Files\Java"
2080-01-11 22:30:26 ( .D... ) "C:\Program Files\Common

Files\EasyInfo"
2080-01-10 19:57:26 ( .D... ) "C:\Program Files\Analog Devices"
2080-01-10 15:49:16 ( .D.H. ) "C:\Program Files\InstallShield

Installation Information"
2080-01-10 15:45:44 ( .D... ) "C:\Program Files\Common

Files\InstallShield"
2080-01-10 13:31:54 ( .D.H. ) "C:\Program Files\Uninstall

Information"
2080-01-10 03:58:34 ( .D... ) "C:\Program Files\xerox"
2080-01-10 03:58:34 ( .D... ) "C:\Program Files\microsoft

frontpage"
2080-01-10 03:56:28 ( .D... ) "C:\Program Files\Common

Files\Services"
2080-01-10 03:56:22 ( .D... ) "C:\Program Files\Common

Files\MSSoap"
2080-01-10 03:56:16 ( .D... ) "C:\Program Files\Movie Maker"
2080-01-10 03:56:10 ( .D... ) "C:\Program Files\NetMeeting"
2080-01-10 03:56:08 ( .D... ) "C:\Program Files\Outlook Express"
2080-01-10 03:56:02 ( .D... ) "C:\Program Files\Internet

Explorer"
2080-01-10 03:56:02 ( .D... ) "C:\Program Files\Common

Files\System"
2080-01-10 03:55:48 ( .D... ) "C:\Program Files\ComPlus

Applications"
2080-01-10 03:55:16 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2080-01-10 03:55:16 ( .D... ) "C:\Program Files\Windows Media

Player"
2080-01-10 03:55:16 ( .D... ) "C:\Program Files\Online Services"
2080-01-10 03:55:10 ( .D... ) "C:\Program Files\Messenger"
2080-01-10 03:55:06 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2080-01-10 03:54:38 ( .D... ) "C:\Program Files\Windows NT"
2080-01-10 03:54:38 ( .D... ) "C:\Program Files\MSN"
2080-01-09 19:51:26 ( .D... ) "C:\Program Files\Common

Files\ODBC"
2080-01-09 19:51:22 ( .D... ) "C:\Program Files\Common

Files\SpeechEngines"
2080-01-09 19:51:22 ( .D... ) "C:\Program Files\Common

Files\Microsoft Shared"
2080-01-09 19:51:22 ( .D... ) "C:\Program Files\Common Files"
2006-08-09 14:53:46 ( .D... ) "C:\Documents and

Settings\Administrator\Application Data\AVG7"
2006-08-09 14:53:28 ( .D... ) "C:\Program Files\Grisoft"
2006-08-08 20:48:00 ( .D... ) "C:\Program Files\Common

Files\urwq"
2006-08-08 15:20:18 319294 ( A.... ) "C:\WINDOWS\YOINSI.exe"
2006-08-08 15:20:06 234248 ( A.... ) "C:\WINDOWS\Tagasuarus2.exe"
2006-08-08 15:20:04 221184 ( A.... ) "C:\WINDOWS\system32\vf1v62x.dll"
2006-08-08 15:20:04 45056 ( A.... ) "C:\WINDOWS\system32\afdaqd3.exe"
2006-08-08 15:20:04 28672 ( A.... ) "C:\WINDOWS\system32cymmh.exe"
2006-08-08 15:20:04 28672 ( A.... ) "C:\WINDOWS\system32\whcixm7.exe"
2006-08-08 15:20:04 28672 ( A.... ) "C:\WINDOWS\system32\cymmh.exe"
2006-08-08 15:20:04 0 ( A.... ) "C:\WINDOWS\system32afdaqd3.exe"
2006-08-08 15:19:56 36864 ( A.... ) "C:\WINDOWS\thiselt.exe"
2006-08-04 07:54:26 ( .D... ) "C:\Documents and

Settings\Administrator\Application Data\??sks"
2006-07-30 10:32:38 1064 ( A.... ) "C:\WINDOWS\system32\fii4b18b.sys"
2006-07-30 10:32:38 1064 ( A.... ) "C:\WINDOWS\system32\fii4b18b.sys"
2006-07-30 02:39:14 24 ( A.... ) "C:\WINDOWS\nriny.dll"
2006-07-30 00:55:24 ( .D... ) "C:\Documents and

Settings\Administrator\Application Data\?ymantec"
2006-07-30 00:55:12 61440 ( A.... ) "C:\WINDOWS\system32\fii4b18b.dll"
2006-07-30 00:55:02 32768 ( A.... ) "C:\WINDOWS\unstall.exe"
2006-07-30 00:54:54 380928 ( A.... ) "C:\WINDOWS\system32\WinNB58.dll"
2006-07-30 00:54:54 ( .D... ) "C:\Program Files\Common

Files\{24D0AF96-07CD-1033-1031-030314030001}"
2006-07-26 15:59:44 159744 ( A.... ) "C:\WINDOWS\system32\apbzk.exe"
2006-07-24 15:31:24 1163264 ( A.... ) "C:\WINDOWS\system32\l3jdfs.exe"
2006-07-24 15:31:12 36864 ( A.... ) "C:\WINDOWS\system32\vp1i4.exe"
2006-07-22 15:33:26 44 ( A.... ) "C:\WINDOWS\system32\msssc.dll"
2006-07-21 18:55:38 127578 ( A.... ) "C:\WINDOWS\system32\tsuninst.exe"
2006-07-17 19:22:34 ( .D... ) "C:\Documents and

Settings\Administrator\Application Data\Azureus"
2006-07-17 19:20:44 ( .D... ) "C:\Program Files\Azureus"
2006-07-13 06:47:34 ( .D... ) "C:\Documents and

Settings\Administrator\Application Data\Motive"
2006-07-13 06:43:56 ( .D... ) "C:\Documents and

Settings\Administrator\Application Data\Yahoo!"
2006-07-13 06:43:12 ( .D... ) "C:\Program Files\Common

Files\Motive"
2006-07-13 06:42:56 ( .D... ) "C:\Program Files\SBC Self Support

Tool"
2006-07-13 06:28:48 ( .D... ) "C:\Program Files\Yahoo!"
2006-07-09 10:31:06 ( .D... ) "C:\Program Files\Empire Earth"
2006-06-27 21:12:54 19024 ( A.... ) "C:\Documents and

Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT"
2006-06-05 18:44:40 20992 ( A.... ) "C:\WINDOWS\system32\24eb2d2c.exe"
2006-05-19 05:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 05:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 05:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days

)))))))))))))))))))))))))))))))))))))))))))


2080-01-26 15:40 74,240 C:\WINDOWS\system32\usbui.dll
2080-01-26 15:38 8,704 C:\WINDOWS\system32\batt.dll
2080-01-26 15:38 74,752 C:\WINDOWS\system32\storprop.dll
2080-01-26 15:38 69,120 C:\WINDOWS\NOTEPAD.EXE
2080-01-26 15:38 15,360 C:\WINDOWS\TASKMAN.EXE
2080-01-26 15:34 503,316,480 C:\pagefile.sys
2080-01-22 23:23 335,073,280 C:\hiberfil.sys
2006-08-08 20:47 127,578 C:\WINDOWS\system32\tsuninst.exe
2006-08-08 15:20 45,056 C:\WINDOWS\system32\afdaqd3.exe
2006-08-08 15:20 36,864 C:\WINDOWS\system32\vp1i4.exe
2006-08-08 15:20 319,294 C:\WINDOWS\YOINSI.exe
2006-08-08 15:20 28,672 C:\WINDOWS\system32cymmh.exe
2006-08-08 15:20 28,672 C:\WINDOWS\system32\whcixm7.exe
2006-08-08 15:20 28,672 C:\WINDOWS\system32\cymmh.exe
2006-08-08 15:20 234,248 C:\WINDOWS\Tagasuarus2.exe
2006-08-08 15:20 221,184 C:\WINDOWS\system32\vf1v62x.dll
2006-08-08 15:20 159,744 C:\WINDOWS\system32\apbzk.exe
2006-08-08 15:20 1,163,264 C:\WINDOWS\system32\l3jdfs.exe
2006-08-08 15:20 0 C:\WINDOWS\system32afdaqd3.exe
2006-08-08 15:19 36,864 C:\WINDOWS\thiselt.exe
2006-07-30 23:22 18,200 C:\WINDOWS\system32\wups2.dll
2006-07-30 02:39 24 C:\WINDOWS\nriny.dll
2006-07-30 00:55 61,440 C:\WINDOWS\system32\fii4b18b.dll
2006-07-30 00:55 32,768 C:\WINDOWS\unstall.exe
2006-07-30 00:55 1,064 C:\WINDOWS\system32\fii4b18b.sys
2006-07-30 00:54 380,928 C:\WINDOWS\system32\WinNB58.dll
2006-07-22 15:33 978,944 C:\WINDOWS\SynthCoreA.Dll
2006-07-22 15:33 720,896 C:\WINDOWS\system32\a3d.dll
2006-07-22 15:33 49,152 C:\WINDOWS\system32\S11thk32.dll
2006-07-22 15:33 49,152 C:\WINDOWS\system32\DSndUp.exe
2006-07-22 15:33 45,056 C:\WINDOWS\system32\SynthCore11Resources.dll
2006-07-22 15:33 45,056 C:\WINDOWS\system32\CleanUp.exe
2006-07-22 15:33 40,820 C:\WINDOWS\system32\Syncor11.dll
2006-07-22 15:33 380,928 C:\WINDOWS\SynCor.exe
2006-07-22 15:33 30,208 C:\WINDOWS\system32\wdmioctl.dll
2006-07-22 15:33 1,285,632 C:\WINDOWS\system32\SMMedia.dll
2006-07-22 15:23 149,504 C:\WINDOWS\system32\MFCANS32.DLL
2006-07-22 15:23 108,032 C:\WINDOWS\system32\MFCUIA32.DLL
2006-07-13 06:43 81,920 C:\WINDOWS\system32\W32n50.dll
2006-07-13 06:43 43,391 C:\WINDOWS\browser.exe
2006-07-13 06:43 17,162 C:\WINDOWS\system32\Pcandis5.sys
2006-07-13 06:43 16,848 C:\WINDOWS\system32\Pcandis4.sys
2006-07-13 06:39 84,992 C:\WINDOWS\system32\ATL70.DLL
2006-07-13 06:39 65,536 C:\WINDOWS\system32\YCRWin32.dll
2006-07-13 06:39 24,576 C:\WINDOWS\system32\msxml3a.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points

))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"iexplorer"="C:\\WINDOWS\\system32\\iexplorer.exe"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"DrvLsnr"="C:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NVMCTRAY.DLL,NvTaskbarInit"
"TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=dword:00000001
"ForceClassicControlPanel"=dword:00000001
"NoActiveDesktopChanges"=dword:00000000
@=""
"NoDriveTypeAutoRun"=hex:5f,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{24D0AF96-07CD-1033-1031-030314030001}"="\"C:\\Program Files\\Common

Files\\{24D0AF96-07CD-1033-1031-030314030001}\\Update.exe\" mc-110-12-0000103"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=""
"tscuninstall"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoSMHelp"=dword:00000001
"NoSharedDocuments"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"nlsf"=""
"tscuninstall"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoSMHelp"=dword:00000001
"NoSharedDocuments"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{c3786a8d-6426-4c29-a23f-f36e47b31e0c}"="hillman"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableTaskMgr REG_DWORD 0 (0x0)
NoColorChoice REG_DWORD 0 (0x0)
NoSizeChoice REG_DWORD 0 (0x0)
NoDispScrSavPage REG_DWORD 0 (0x0)
NoDispCPL REG_DWORD 0 (0x0)
NoVisualStyleChoice REG_DWORD 0 (0x0)
NoDispSettingsPage REG_DWORD 0 (0x0)
NoDispAppearancePage REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Wed 08/09/2006 16:53:45.42
ComboFix ver 06.07.15/29 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-09.165333.txt

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:14 PM

Posted 10 August 2006 - 03:29 AM

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Forethought
Quicklinks


Can you post the Combofix log again please.
In Notepad be sure to click on Format and place a check mark beside "word wrap".
This will make the log will be easier to read.

#5 jace_xiong

jace_xiong
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 10 August 2006 - 08:08 PM

ok, i did that.

heres is the new hijactthis log and the combofix...

Logfile of HijackThis v1.99.1
Scan saved at 6:04:36 PM, on 8/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\{24D0AF96-07CD-1033-1031-030314030001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Documents and Settings\Administrator\Desktop\spyware & adware remover software\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/divx6/new/en
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Vdrw Class - {8711CF54-E9C5-4DB4-9B9F-7D67393CC771} - C:\WINDOWS\system32\vf1v62x.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\system32\iexplorer.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [yaTa] cmd /c IF EXIST "C:\WINDOWS\system32\whcixm7.exe" del /s /q "C:\WINDOWS\system32\whcixm7.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154326894703
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {D5BA18F2-FF61-465F-831D-A6850B94FC01} - C:\WINDOWS\system32\vf1v62x.dll
O20 - AppInit_DLLs: ping.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

_____________________________________________________________________________________


Start Time= Thu 08/10/2006 18:04:58.34

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2080-01-26 15:38:52 62 ( A.SH. ) "C:\Documents and Settings\Administrator\Application Data\desktop.ini"
2080-01-23 23:05:26 ( .D... ) "C:\Program Files\NVIDIA Corporation"
2080-01-23 23:05:26 ( .D... ) "C:\Program Files\Common Files\NVIDIA Shared"
2080-01-17 01:29:26 ( .D... ) "C:\Program Files\Common Files\Adobe"
2080-01-17 01:28:32 ( .D... ) "C:\Program Files\Adobe"
2080-01-12 17:26:52 ( .D... ) "C:\Program Files\Common Files\Java"
2080-01-11 22:30:26 ( .D... ) "C:\Program Files\Common Files\EasyInfo"
2080-01-10 19:57:26 ( .D... ) "C:\Program Files\Analog Devices"
2080-01-10 15:49:16 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2080-01-10 15:45:44 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2080-01-10 13:31:54 ( .D.H. ) "C:\Program Files\Uninstall Information"
2080-01-10 03:58:34 ( .D... ) "C:\Program Files\xerox"
2080-01-10 03:58:34 ( .D... ) "C:\Program Files\microsoft frontpage"
2080-01-10 03:56:28 ( .D... ) "C:\Program Files\Common Files\Services"
2080-01-10 03:56:22 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2080-01-10 03:56:16 ( .D... ) "C:\Program Files\Movie Maker"
2080-01-10 03:56:10 ( .D... ) "C:\Program Files\NetMeeting"
2080-01-10 03:56:08 ( .D... ) "C:\Program Files\Outlook Express"
2080-01-10 03:56:02 ( .D... ) "C:\Program Files\Internet Explorer"
2080-01-10 03:56:02 ( .D... ) "C:\Program Files\Common Files\System"
2080-01-10 03:55:48 ( .D... ) "C:\Program Files\ComPlus Applications"
2080-01-10 03:55:16 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2080-01-10 03:55:16 ( .D... ) "C:\Program Files\Windows Media Player"
2080-01-10 03:55:16 ( .D... ) "C:\Program Files\Online Services"
2080-01-10 03:55:10 ( .D... ) "C:\Program Files\Messenger"
2080-01-10 03:55:06 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2080-01-10 03:54:38 ( .D... ) "C:\Program Files\Windows NT"
2080-01-10 03:54:38 ( .D... ) "C:\Program Files\MSN"
2080-01-09 19:51:26 ( .D... ) "C:\Program Files\Common Files\ODBC"
2080-01-09 19:51:22 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2080-01-09 19:51:22 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2080-01-09 19:51:22 ( .D... ) "C:\Program Files\Common Files"
2006-08-09 14:53:46 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\AVG7"
2006-08-09 14:53:28 ( .D... ) "C:\Program Files\Grisoft"
2006-08-08 20:48:00 ( .D... ) "C:\Program Files\Common Files\urwq"
2006-08-08 15:20:18 319294 ( A.... ) "C:\WINDOWS\YOINSI.exe"
2006-08-08 15:20:06 234248 ( A.... ) "C:\WINDOWS\Tagasuarus2.exe"
2006-08-08 15:20:04 28672 ( A.... ) "C:\WINDOWS\system32cymmh.exe"
2006-08-08 15:20:04 28672 ( A.... ) "C:\WINDOWS\system32\whcixm7.exe"
2006-08-08 15:20:04 28672 ( A.... ) "C:\WINDOWS\system32\cymmh.exe"
2006-08-08 15:20:04 0 ( A.... ) "C:\WINDOWS\system32afdaqd3.exe"
2006-08-08 15:19:56 36864 ( A.... ) "C:\WINDOWS\thiselt.exe"
2006-08-04 07:54:26 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\??sks"
2006-07-30 10:32:38 1064 ( A.... ) "C:\WINDOWS\system32\fii4b18b.sys"
2006-07-30 10:32:38 1064 ( A.... ) "C:\WINDOWS\system32\fii4b18b.sys"
2006-07-30 02:39:14 24 ( A.... ) "C:\WINDOWS\nriny.dll"
2006-07-30 00:55:24 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\?ymantec"
2006-07-30 00:55:12 61440 ( A.... ) "C:\WINDOWS\system32\fii4b18b.dll"
2006-07-30 00:55:02 32768 ( A.... ) "C:\WINDOWS\unstall.exe"
2006-07-30 00:54:54 380928 ( A.... ) "C:\WINDOWS\system32\WinNB58.dll"
2006-07-30 00:54:54 ( .D... ) "C:\Program Files\Common Files\{24D0AF96-07CD-1033-1031-030314030001}"
2006-07-22 15:33:26 44 ( A.... ) "C:\WINDOWS\system32\msssc.dll"
2006-07-21 18:55:38 127578 ( A.... ) "C:\WINDOWS\system32\tsuninst.exe"
2006-07-17 19:22:34 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Azureus"
2006-07-17 19:20:44 ( .D... ) "C:\Program Files\Azureus"
2006-07-13 06:47:34 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Motive"
2006-07-13 06:43:56 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Yahoo!"
2006-07-13 06:43:12 ( .D... ) "C:\Program Files\Common Files\Motive"
2006-07-13 06:42:56 ( .D... ) "C:\Program Files\SBC Self Support Tool"
2006-07-13 06:28:48 ( .D... ) "C:\Program Files\Yahoo!"
2006-07-09 10:31:06 ( .D... ) "C:\Program Files\Empire Earth"
2006-06-27 21:12:54 19024 ( A.... ) "C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT"
2006-06-05 18:44:40 20992 ( A.... ) "C:\WINDOWS\system32\24eb2d2c.exe"
2006-05-19 05:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 05:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 05:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2080-01-26 15:40 74,240 C:\WINDOWS\system32\usbui.dll
2080-01-26 15:38 8,704 C:\WINDOWS\system32\batt.dll
2080-01-26 15:38 74,752 C:\WINDOWS\system32\storprop.dll
2080-01-26 15:38 69,120 C:\WINDOWS\NOTEPAD.EXE
2080-01-26 15:38 15,360 C:\WINDOWS\TASKMAN.EXE
2080-01-26 15:34 503,316,480 C:\pagefile.sys
2080-01-22 23:23 335,073,280 C:\hiberfil.sys
2006-08-08 20:47 127,578 C:\WINDOWS\system32\tsuninst.exe
2006-08-08 15:20 319,294 C:\WINDOWS\YOINSI.exe
2006-08-08 15:20 28,672 C:\WINDOWS\system32cymmh.exe
2006-08-08 15:20 28,672 C:\WINDOWS\system32\whcixm7.exe
2006-08-08 15:20 28,672 C:\WINDOWS\system32\cymmh.exe
2006-08-08 15:20 234,248 C:\WINDOWS\Tagasuarus2.exe
2006-08-08 15:20 0 C:\WINDOWS\system32afdaqd3.exe
2006-08-08 15:19 36,864 C:\WINDOWS\thiselt.exe
2006-07-30 23:22 18,200 C:\WINDOWS\system32\wups2.dll
2006-07-30 02:39 24 C:\WINDOWS\nriny.dll
2006-07-30 00:55 61,440 C:\WINDOWS\system32\fii4b18b.dll
2006-07-30 00:55 32,768 C:\WINDOWS\unstall.exe
2006-07-30 00:55 1,064 C:\WINDOWS\system32\fii4b18b.sys
2006-07-30 00:54 380,928 C:\WINDOWS\system32\WinNB58.dll
2006-07-22 15:33 978,944 C:\WINDOWS\SynthCoreA.Dll
2006-07-22 15:33 720,896 C:\WINDOWS\system32\a3d.dll
2006-07-22 15:33 49,152 C:\WINDOWS\system32\S11thk32.dll
2006-07-22 15:33 49,152 C:\WINDOWS\system32\DSndUp.exe
2006-07-22 15:33 45,056 C:\WINDOWS\system32\SynthCore11Resources.dll
2006-07-22 15:33 45,056 C:\WINDOWS\system32\CleanUp.exe
2006-07-22 15:33 40,820 C:\WINDOWS\system32\Syncor11.dll
2006-07-22 15:33 380,928 C:\WINDOWS\SynCor.exe
2006-07-22 15:33 30,208 C:\WINDOWS\system32\wdmioctl.dll
2006-07-22 15:33 1,285,632 C:\WINDOWS\system32\SMMedia.dll
2006-07-22 15:23 149,504 C:\WINDOWS\system32\MFCANS32.DLL
2006-07-22 15:23 108,032 C:\WINDOWS\system32\MFCUIA32.DLL
2006-07-13 06:43 81,920 C:\WINDOWS\system32\W32n50.dll
2006-07-13 06:43 43,391 C:\WINDOWS\browser.exe
2006-07-13 06:43 17,162 C:\WINDOWS\system32\Pcandis5.sys
2006-07-13 06:43 16,848 C:\WINDOWS\system32\Pcandis4.sys
2006-07-13 06:39 84,992 C:\WINDOWS\system32\ATL70.DLL
2006-07-13 06:39 65,536 C:\WINDOWS\system32\YCRWin32.dll
2006-07-13 06:39 24,576 C:\WINDOWS\system32\msxml3a.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"iexplorer"="C:\\WINDOWS\\system32\\iexplorer.exe"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"DrvLsnr"="C:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NVMCTRAY.DLL,NvTaskbarInit"
"TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"yaTa"="cmd /c IF EXIST \"C:\\WINDOWS\\system32\\whcixm7.exe\" del /s /q \"C:\\WINDOWS\\system32\\whcixm7.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=dword:00000001
"ForceClassicControlPanel"=dword:00000001
"NoActiveDesktopChanges"=dword:00000000
@=""
"NoDriveTypeAutoRun"=hex:5f,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{24D0AF96-07CD-1033-1031-030314030001}"="\"C:\\Program Files\\Common Files\\{24D0AF96-07CD-1033-1031-030314030001}\\Update.exe\" mc-110-12-0000103"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=""
"tscuninstall"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoSMHelp"=dword:00000001
"NoSharedDocuments"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"nlsf"=""
"tscuninstall"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoSMHelp"=dword:00000001
"NoSharedDocuments"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{c3786a8d-6426-4c29-a23f-f36e47b31e0c}"="hillman"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableTaskMgr REG_DWORD 0 (0x0)
NoColorChoice REG_DWORD 0 (0x0)
NoSizeChoice REG_DWORD 0 (0x0)
NoDispScrSavPage REG_DWORD 0 (0x0)
NoDispCPL REG_DWORD 0 (0x0)
NoVisualStyleChoice REG_DWORD 0 (0x0)
NoDispSettingsPage REG_DWORD 0 (0x0)
NoDispAppearancePage REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Thu 08/10/2006 18:05:10.59
ComboFix ver 06.07.15/29 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-10.180458.txt

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:14 PM

Posted 11 August 2006 - 02:54 AM

Hey there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please set your system to show hidden files; please see here if you're unsure how to do this.

1) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: Vdrw Class - {8711CF54-E9C5-4DB4-9B9F-7D67393CC771} - C:\WINDOWS\system32\vf1v62x.dll (file missing)
O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\system32\iexplorer.exe
O4 - HKLM\..\RunOnce: [yaTa] cmd /c IF EXIST "C:\WINDOWS\system32\whcixm7.exe" del /s /q "C:\WINDOWS\system32\whcixm7.exe"
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Filter: text/html - {D5BA18F2-FF61-465F-831D-A6850B94FC01} - C:\WINDOWS\system32\vf1v62x.dll
O20 - AppInit_DLLs: ping.dll


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

2) Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\YOINSI.exe
C:\WINDOWS\Tagasuarus2.exe
C:\WINDOWS\system32cymmh.exe
C:\WINDOWS\system32\whcixm7.exe
C:\WINDOWS\system32\cymmh.exe
C:\WINDOWS\system32afdaqd3.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\system32\fii4b18b.sys
C:\WINDOWS\nriny.dll
C:\WINDOWS\system32\fii4b18b.dll
C:\WINDOWS\unstall.exe
C:\WINDOWS\system32\WinNB58.dll
C:\WINDOWS\system32\msssc.dll
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\24eb2d2c.exe
C:\WINDOWS\system32\WinNB58.dll
C:\WINDOWS\system32\ping.dll
C:\WINDOWS\system32\whcixm7.exe
C:\WINDOWS\system32\iexplorer.exe
C:\Program Files\Common Files\{24D0AF96-07CD-1033-1031-030314030001}\Update.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

3) Please find and delete the following folders:

C:\Program Files\Common Files\urwq
C:\Program Files\TClock
C:\Program Files\Common Files\{24D0AF96-07CD-1033-1031-030314030001}"

C:\Documents and Settings\Administrator\Application Data\?ymantec --> This folder will have an acryllic alphabet letter instead of the question mark. It was created on 2006-07-30. It will most likely look like symantec.

C:\Documents and Settings\Administrator\Application Data\??sks --> This folder will have an acryllic alphabet letter instead of the question mark. It was created on 2006-07-30. It will most likely look like tasks.

4) Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{c3786a8d-6426-4c29-a23f-f36e47b31e0c}"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Clean your Cache and Cookies in IE

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Clean your Cache and Cookies in Firefox

° Open the firefox browser.
° Click on the "tools" button and click on "options".
° Click "privacy" in the menu on the left side window.
° Open the History, Cookies and Cache tabs individually.
° Choose the "clear" button on each.
° Click OK to close the Options window

Clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

Please post back with a new Hijackthis log and combofix log.
David

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:14 PM

Posted 09 September 2006 - 02:47 PM

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users