Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Sound. Lots-0-popups.


  • Please log in to reply
9 replies to this topic

#1 AtomicBucket

AtomicBucket

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 23 September 2006 - 02:06 AM

I was recently infected with a adware called duce6. Ever since, I have been bombarded with popups and my drivers, ALL OF THEM, Video, Audio, USB, ALL have been uninstalled... Here is my Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 3:03:49 AM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\win32093161929218.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Documents and Settings\AtomicBucket\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [mmahre] C:\WINDOWS\system32\muvpsg.exe reg_run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [win32093161929218] C:\WINDOWS\win32093161929218.exe
O4 - HKCU\..\Run: [iihjt] C:\WINDOWS\system32\muvpsg.exe reg_run
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 23 September 2006 - 12:12 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

You are missing one important program on that computer - an antivirus!
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer.
AVG and Avast are excellent, free antivirus programs..
Never install more than one antivirus on your system - several together can cause problems and decrease performance.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKLM\..\Run: [mmahre] C:\WINDOWS\system32\muvpsg.exe reg_run
O4 - HKLM\..\Run: [win32093161929218] C:\WINDOWS\win32093161929218.exe
O4 - HKCU\..\Run: [iihjt] C:\WINDOWS\system32\muvpsg.exe reg_run
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\muvpsg.exe
C:\WINDOWS\win32093161929218.exe
C:\WINDOWS\system32\dmonwv.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

Edited by D-Trojanator, 23 September 2006 - 12:13 PM.


#3 AtomicBucket

AtomicBucket
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 24 September 2006 - 09:55 AM

Thanks for the help, heres my new logs.


AtomicBucket - 06-09-24 10:44:41.09 Service Pack 2
ComboFix 06.09.23.2 - Running from: "C:\Documents and Settings\AtomicBucket\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *



DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\nobody\Application Data\Sskcwrd.dll
C:\Documents and Settings\nobody\Application Data\Sskdmns.dll
C:\Documents and Settings\nobody\Application Data\Sskknwrd.dll
C:\Documents and Settings\nobody\Application Data\Sskuknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\tsuninst.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Common Files\{60847017-064E-1033-0209-020401040001}


((((((((((((((((((((((((((((((( Files Created from 2006-08-24 to 2006-09-24 ))))))))))))))))))))))))))))))))))


2006-09-24 10:46 106,496 --a------ C:\WINDOWS\Duce6.exe
2006-09-24 10:42 163,840 --a------ C:\WINDOWS\ms042921831619.exe
2006-09-22 21:00 80 -r-hs---- C:\WINDOWS\system32\CD9E92C440.dll
2006-09-20 16:17 163,840 --a------ C:\WINDOWS\win320718316192922006.exe
2006-09-16 21:39 64,512 --------- C:\WINDOWS\system32\agrsmdel.exe
2006-09-05 22:09 902 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-09-05 21:54 1,233 --a------ C:\WINDOWS\system32\xdx15ea9.sys
2006-09-05 21:53 663 --a------ C:\WINDOWS\lpdwj.dll
2006-09-05 21:51 32,768 --a------ C:\WINDOWS\system32\setup9x.exe
2006-09-05 21:51 192 --a------ C:\WINDOWS\system32\ggg.bat
2006-09-05 21:51 138,862 --a------ C:\WINDOWS\system32\install.exe
2006-09-05 21:50 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2006-09-05 11:52 78,848 --a------ C:\WINDOWS\system32\nsz1E.dll
2006-08-29 21:16 473,600 --a------ C:\WINDOWS\system32\Harmony.dll
2006-08-29 21:16 237,568 --a------ C:\WINDOWS\system32\Unlha32.dll
2006-08-27 20:04 671,744 -ra------ C:\WINDOWS\system32\DolbyHph.dll
2006-08-27 20:04 24,576 -ra------ C:\WINDOWS\system32\msxml3a.dll
2006-08-27 19:57 176,128 --a------ C:\WINDOWS\system32\nvudisp.exe
2006-08-25 19:21 286,720 --a------ C:\WINDOWS\iun506.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-24 10:45 -------- d-------- C:\Program Files\Common Files
2006-09-23 00:05 -------- d-------- C:\Program Files\Lavasoft
2006-09-22 23:33 -------- d-------- C:\Documents and Settings\AtomicBucket\Application Data\Lavasoft
2006-09-22 22:18 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-22 21:00 -------- d-------- C:\Program Files\Clean Uninstaller
2006-09-22 15:32 -------- d-------- C:\Program Files\Common Files\AOL
2006-09-21 22:22 -------- d-------- C:\Program Files\AOL
2006-09-21 22:22 -------- d-------- C:\Program Files\AOD
2006-09-16 16:46 -------- d-------- C:\Program Files\XoftSpy
2006-09-16 14:59 -------- d-------- C:\Program Files\Common Files\DirectX
2006-09-15 23:42 -------- d-------- C:\Program Files\MAIET
2006-09-11 17:23 -------- d---s---- C:\Documents and Settings\AtomicBucket\Application Data\Microsoft
2006-09-10 17:12 -------- d-------- C:\Program Files\Microsoft Games
2006-09-10 13:20 -------- d-------- C:\Documents and Settings\AtomicBucket\Application Data\Real
2006-09-10 13:20 -------- d-------- C:\Documents and Settings\AtomicBucket\Application Data\Macromedia
2006-09-07 22:22 -------- d-------- C:\Program Files\AIM
2006-09-07 22:19 -------- d-------- C:\Documents and Settings\AtomicBucket\Application Data\acccore
2006-09-07 22:16 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-09-07 22:14 -------- d-------- C:\Program Files\Common Files\aolshare
2006-09-07 15:30 -------- d-------- C:\Documents and Settings\AtomicBucket\Application Data\Sun
2006-09-07 14:00 -------- d-------- C:\Documents and Settings\AtomicBucket\Application Data\Adobe
2006-09-07 12:02 -------- d-------- C:\Documents and Settings\AtomicBucket\Application Data\Identities
2006-09-07 12:01 -------- d-------- C:\Documents and Settings\AtomicBucket\Application Data\Netscape
2006-09-07 11:23 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-07 11:03 -------- d-------- C:\Program Files\Netscape
2006-09-02 22:12 -------- d-------- C:\Program Files\Midi Maker
2006-08-29 21:16 -------- d-------- C:\Program Files\ASCII
2006-08-28 13:53 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-27 20:04 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-27 20:04 -------- d-------- C:\Program Files\NVIDIA Corporation
2006-08-27 20:03 -------- d-------- C:\Program Files\Object Desktop
2006-08-17 16:12 -------- d-------- C:\Program Files\rpg2003
2006-08-13 21:08 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-08-13 21:08 56 -r-hs---- C:\WINDOWS\system32\CD9E92C440.sys
2006-07-25 18:10 -------- d-------- C:\Program Files\Fire International


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SoundMan"="SOUNDMAN.EXE"
"ms042921831619"="C:\\WINDOWS\\ms042921831619.exe"
"TheMonitor"="C:\\WINDOWS\\Duce6.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,1f,00,00,00,e0,00,00,00,d6,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^fciqy.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\fciqy.exe"
"backup"="C:\\WINDOWS\\pss\\fciqy.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\fciqy.exe"
"item"="fciqy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\KODAK\\KODAKE~1\\bin\\EASYSH~1.EXE -h"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\KODAK Software Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\KODAK Software Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\KODAK\\KODAKS~1\\7288971\\Program\\BACKWE~1.EXE "
"item"="KODAK Software Updater"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^svchost.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\svchost.exe"
"backup"="C:\\WINDOWS\\pss\\svchost.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\svchost.exe"
"item"="svchost"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^taskmgr.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\taskmgr.exe"
"backup"="C:\\WINDOWS\\pss\\taskmgr.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\taskmgr.exe"
"item"="taskmgr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^AtomicBucket^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\AtomicBucket\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\swinlpex.exe GEN001"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^nobody^Start Menu^Programs^Startup^TA_Start.lnk]
"path"="C:\\Documents and Settings\\nobody\\Start Menu\\Programs\\Startup\\TA_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\TA_Start.lnkStartup"
"location"="Startup"
"command"="C:\\TIGEN001.exe GEN001"
"item"="TA_Start"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^nobody^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\nobody\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\swinlpex.exe GEN001"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_16"
"hkey"="HKLM"
"command"="C:\\\\dfndrff_16.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiskeeperSystray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DkIcon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Executive Software\\Diskeeper\\DkIcon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ehTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ehtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ehome\\ehtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ExploreUpdSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="swinlpex"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\swinlpex.exe GEN001"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iihjt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="muvpsg"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\muvpsg.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISUSPM"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="issch"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_16"
"hkey"="HKLM"
"command"="C:\\\\kybrdff_16.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LVCOMSX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMSX"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\mmahre]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="muvpsg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\muvpsg.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\p2p networking]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="p2pnetworking"
"hkey"="HKLM"
"command"="p2pnetworking.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSLister]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSLister"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSLister\\PSLister.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\rfqoxbwA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rfqoxbwA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\rfqoxbwA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\rwzo]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rwzom"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\rwzo\\rwzom.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Shareaza]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Shareaza"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Shareaza\\Shareaza.exe\" -tray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Duce6"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Duce6.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\win32088316192921]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win32088316192921"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win32088316192921.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\xdx15ea9]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w01da4ce.dll,n 00415ea50000000301da4ce"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\{47-70-01-17-ZN}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="okdsregn"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\okdsregn.exe GEN001"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Dcfssvc"=dword:00000002
"cmdService"=dword:00000002
"ccPwdSvc"=dword:00000003
"ccEvtMgr"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sun 09/24/2006 10:51:58.07
ComboFix.txt



________________________________________________________________________________



Logfile of HijackThis v1.99.1
Scan saved at 10:52:51 AM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ms042921831619.exe
C:\WINDOWS\Duce6.exe
C:\Documents and Settings\AtomicBucket\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ms042921831619] C:\WINDOWS\ms042921831619.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 24 September 2006 - 02:02 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKLM\..\Run: [ms042921831619] C:\WINDOWS\ms042921831619.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\Duce6.exe
C:\WINDOWS\ms042921831619.exe
C:\WINDOWS\system32\CD9E92C440.dll
C:\WINDOWS\win320718316192922006.exe
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\system32\xdx15ea9.sys
C:\WINDOWS\lpdwj.dll
C:\WINDOWS\system32\CD9E92C440.sys
C:\TIGEN001.exe
C:\WINDOWS\system32\swinlpex.exe
C:\WINDOWS\system32\muvpsg.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\rfqoxbwA.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\fciqy.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
C:\WINDOWS\system32\swinlpex.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^fciqy.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^svchost.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^taskmgr.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^AtomicBucket^Start Menu^Programs^Startup^Think-Adz.lnk]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^nobody^Start Menu^Programs^Startup^TA_Start.lnk]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACTX1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ExploreUpdSched]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iihjt]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\mmahre]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\p2p networking]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSLister]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\rfqoxbwA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SurfSideKick 3]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TheMonitor]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\win32088316192921]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\xdx15ea9]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\{47-70-01-17-ZN}]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Post a new Hijackthis log also.
David

#5 AtomicBucket

AtomicBucket
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 24 September 2006 - 03:42 PM

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0
AOL Uninstaller (Choose which Products to Remove)
Clean Uninstaller
Diskeeper Professional Edition
Encarta Encyclopedia 99
ewido anti-spyware 4.0
Finale NotePad 2005a
Game Elements PC Recoil Pad
GamesharkDS
Google Video Player
Google Video Viewer 1.0 (based on VLC 0.8.2 Player)
HijackThis 1.99.1
HTML-Kit
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 4
Kodak EasyShare software
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech Desktop Messenger
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash 8
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft Office 2000 Premium
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Midi Maker
MSN
MSXML 4.0 SP2 Parser and SDK
Nero Suite
Norton SystemWorks 2003
Norton WMI Update
NVDVD
NVIDIA Drivers
Project64 1.6
QuickTime
RealPlayer
Realtek AC'97 Audio
RGSS-RTP Standard
RPG Maker 2000 1.05
RPG Maker 2003 v1.08
RPG Maker XP - Postality Knights Edition ENHANCED
RPGXP
RTP for RM2K (Png, Wav, Midi, Fonts)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Sonic Foundry ACID 4.0e
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
WebPainter for Win32 version 3.0
WindowBlinds
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinMX
WinRAR archiver
XoftSpy
XviD MPEG-4 Video Codec

Logfile of HijackThis v1.99.1
Scan saved at 4:42:05 PM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Documents and Settings\AtomicBucket\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 24 September 2006 - 03:51 PM

Please remove this entry from add/remove:
Windows Overlay Components

Malware like this normally never comes alone and there are probably infected files left on your computer.
Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log.

Also let me know how the system is running.
I see a clean log here! :thumbsup:
David

#7 AtomicBucket

AtomicBucket
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 24 September 2006 - 05:07 PM

I think... I think I'm gonna puke... :thumbsup:


Incident Status Location

Adware:Adware/DigInk Not disinfected C:\!KillBox\Duce6.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.overture.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.com.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[mmm.media-motor.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Netscape\NSB\Profiles\bobtccl6.default\cookies.txt[stats.drivecleaner.com/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2f448ffc-7a616ba9.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2f448ffc-7a616ba9.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2f448ffc-7a616ba9.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2f448ffc-7a616ba9.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5767d8db-48bc0e12.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5767d8db-48bc0e12.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5767d8db-48bc0e12.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5767d8db-48bc0e12.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-73e7a260-750734bb.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-73e7a260-750734bb.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-73e7a260-750734bb.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\AtomicBucket\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-73e7a260-750734bb.zip[Beyond.class]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@adrevolver[3].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@ads.pointroll[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@as-eu.falkag[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@bluestreak[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@casalemedia[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@cassava[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@cgi-bin[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@doubleclick[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@drivecleaner[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@entrepreneur[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@fastclick[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@fortunecity[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@hitbox[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@i.screensavers[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@mediaplex[2].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@mmm.media-motor[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@overture[2].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@pacificpoker[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@statcounter[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@stats1.reliablestats[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@statse.webtrendslive[1].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@targetnet[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@www.burstbeacon[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@www.drivecleaner[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@www.myaffiliateprogram[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\AtomicBucket\Cookies\atomicbucket@zedo[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@adrevolver[3].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@as-eu.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@atwola[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@bluestreak[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@casalemedia[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@cgi-bin[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@doubleclick[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@drivecleaner[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@mediaplex[1].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@mmm.media-motor[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@server.iad.liveperson[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@statcounter[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@stats.drivecleaner[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@targetnet[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@www.burstbeacon[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temp\Cookies\atomicbucket@www.drivecleaner[1].txt
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\AtomicBucket\Local Settings\Temporary Internet Files\Ssk.log
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\nobody\Application Data\Mozilla\Firefox\Profiles\xp50odbx.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\nobody\Application Data\Mozilla\Firefox\Profiles\xp50odbx.default\cookies.txt[www48.seeq.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\nobody\Cookies\nobody@atwola[1].txt
Spyware:Cookie/Diglnk Not disinfected C:\Documents and Settings\nobody\Cookies\nobody@mbop[1].txt
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\b103.exe[stub_109_4_0_4_0.exe]
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\b103.exe[²ÜÇ\nsRandom.dll]
Adware:Adware/ISearch Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\b104.exe[MTE3MTk6ODoxNg.exe]
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\b104.exe[²ÜÇ\nsRandom.dll]
Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\b111.exe[eltadperf.exe]
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\b111.exe[²ÜÇ\nsRandom.dll]
Spyware:Spyware/7r7t Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\batty2.exe
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@adopt.hbmediapro[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@atwola[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@banner[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@cassava[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@drivecleaner[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@errorsafe[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@stats.drivecleaner[2].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@targetsaver[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@target[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\Cookies\nobody@www.drivecleaner[1].txt
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\GLFBGLFB.EXE
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\nobody\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe
Spyware:Spyware/7r7t Not disinfected C:\Documents and Settings\nobody\Local Settings\Temporary Internet Files\Content.IE5\9779P23S\batty2[1].exe
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\nobody\Local Settings\Temporary Internet Files\Content.IE5\QXIZ311I\deskbar[1].exe
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\nobody\Local Settings\Temporary Internet Files\Content.IE5\TKJVG9WO\image01[1].jpg
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\nobody\setup9x.exe
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLER\S-1-5-21-329068152-220523388-1801674531-1003\Dc381.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\bm9ib2R5\vA62vZlc.vbs
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\system32\install.exe

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 25 September 2006 - 01:49 PM

Hey there,
No need to puke! Nothing too bad here! :thumbsup:

Please delete this folder:
C:\!KillBox

Please open your Netscape Browser.
Click the Tools menu and choose Cookie Manager
Choose Manage Stored Cookies from the submenu. The Cookie Manager window opens with a list of all the cookies stored on your computer.
Select one or more cookies and click "Remove All Cookies".

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

I also want you to clean your cache and cookies from your firefox browser.
There are a few infected files which need to be removed from your system.

° Open the firefox browser.
° Click on the "tools" button and click on "options".
° Click "privacy" in the menu on the left side window.
° Open the History, Cookies and Cache tabs individually.
° Choose the "clear" button on each.
° Click OK to close the Options window

Please delete these files/folders:
C:\Documents and Settings\nobody\setup9x.exe
C:\WINDOWS\bm9ib2R5
C:\WINDOWS\system32\install.exe

Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\Documents and Settings\AtomicBucket\Local Settings\Temporary Internet Files\Ssk.log

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes.

After the reboot post a final Hijackthis log.
Also let me know how the PC is running.
David

#9 AtomicBucket

AtomicBucket
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 25 September 2006 - 03:48 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:42:04 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Documents and Settings\AtomicBucket\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

It's working fine now! :thumbsup: Thanks,
Except for one thing. My sound, no, all my drivers are gone... :flowers: Is there a way I can get them back? I can't open 'Add Hardware' and 'Windows Update' doesn't work...

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:45 PM

Posted 25 September 2006 - 04:30 PM

I now see a clean log here, there are no signs of malware or anything that may cause the sound problems you are having. I recommend that you post your question in the following forum as you will recieve better help there. Let them know you have had your Hijackthis log checked, and it isn't a serious security issue.
Windows XP Home and Professional

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users