Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem With Web Popups-please Help


  • This topic is locked This topic is locked
11 replies to this topic

#1 ddscott

ddscott

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 08 October 2006 - 07:51 PM

Keep having pop-ups as well as dial out attempts. Please help.

Logfile of HijackThis v1.99.1
Scan saved at 7:44:07 PM, on 10/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\IA\command.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Batty2\Batty2.exe
C:\WINNT\nzsbizxA.exe
C:\WINNT\cfg32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\?ppPatch\wucrtupd.exe
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\CMFibula\CMFibula.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\cfg32a.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\rpcqu.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,cljugwh.exe
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - blank (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeskSiteAlert] C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [qqg638dd] RUNDLL32.EXE w243e107.dll,n 005638d800000012243e107
O4 - HKLM\..\Run: [ACTX1] C:\WINNT\v1201.exe
O4 - HKLM\..\Run: [axpeup] C:\WINNT\system32\bglmur.exe reg_run
O4 - HKLM\..\Run: [nzsbizxA] C:\WINNT\nzsbizxA.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e23.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINNT\cfg32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ROBUSTFTP] C:\Program Files\Robusst.ws\RobustFTP\robustftp.exe /STARTUP
O4 - HKCU\..\Run: [Sfgbju] C:\WINNT\system32\?ppPatch\wucrtupd.exe
O4 - HKCU\..\Run: [wuwfw] C:\WINNT\system32\bglmur.exe reg_run
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093817663921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136939185984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - C:\Program Files\Batty2\Batty2.dll
O20 - AppInit_DLLs: BattyRun2.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\IA\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\nzsbizx.exe (file missing)

BC AdBot (Login to Remove)

 


#2 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:17 AM

Posted 09 October 2006 - 05:37 AM

Hi and welcome. My name is kairis and I will be helping you.
You have some crap there! But don't worry; we'll get you cleaned up!
Please follow my steps in the right order...
We'll start with this:
Step 1:
Please download Combofix
to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Step 2:
With all other windows closed, start your HijackThis and Click "Do a System Scan Only"
Click in the check-box to the left of each of the following entries, if found:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\rpcqu.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,cljugwh.exe
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - blank (file missing)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - C:\Program Files\Batty2\Batty2.dll
O20 - AppInit_DLLs: BattyRun2.dll

Select Fix Checked
That should be it so please post
A new HijackThis log to confirm, thanks.

#3 ddscott

ddscott
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 09 October 2006 - 07:24 PM

It stills appears I have something-I still have popups!

Please let me know-I put the logs combo and hijack below.

Thanks for your help!!!!

Owner - 06-10-09 18:36:44.00 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{A11DE8FF-2C78-45EF-B121-D7BF2DD77943}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A11DE8FF-2C78-45EF-B121-D7BF2DD77943}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A11DE8FF-2C78-45EF-B121-D7BF2DD77943}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A11DE8FF-2C78-45EF-B121-D7BF2DD77943}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINNT\system32\hp0023dmg.dll
C:\WINNT\system32\irp2l57o1.dll
C:\WINNT\system32\miiole32.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-10-06 07:40 142 abstm.dll.qoo
06-10-05 21:37 53 vbeopn.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Application Data\Dxcuknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\cfg32.exe
C:\WINNT\cfg32a.exe
C:\WINNT\system32\aaa00000.sys
C:\WINNT\system32\wnsintsv.exe
C:\WINNT\offun.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINNT\uninstall_nmon.vbs
C:\WINNT\system32\atmtd.dll
C:\WINNT\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Program Files\network monitor
C:\Program Files\batty2
C:\Program Files\cmfibula
C:\WINNT\IA

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\SCURIT~1
C:\QooBox\Purity\Program Files\SCURIT~1\iexplore.exe
C:\QooBox\Purity\Program Files\SCURIT~1\s?curity


((((((((((((((((((((((((((((((( Files Created from 2006-09-09 to 2006-10-09 ))))))))))))))))))))))))))))))))))


2006-10-08 19:30 32,768 --a------ C:\WINNT\knvpnwct.exe
2006-10-06 07:43 776,096 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-10-06 07:43 4,288 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2006-10-06 07:43 27,776 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-10-06 07:43 23,424 --a------ C:\WINNT\system32\drivers\avgmfrs.sys
2006-10-06 07:36 684,084 ---hs---- C:\WINNT\system32\geedc.dll
2006-10-05 21:39 45,056 --a------ C:\WINNT\cfg32s.dll
2006-10-05 21:39 397,312 --a------ C:\WINNT\cfg32p.dll
2006-10-05 21:39 110,592 --a------ C:\WINNT\cfg32o.dll
2006-10-05 21:39 102,400 --a------ C:\WINNT\cfg32r.dll
2006-10-05 21:37 827,824 -r-hs---- C:\WINNT\nzsbizxA.exe
2006-10-05 21:37 183,478 --a------ C:\WINNT\srvtiehiwb.exe
2006-10-05 21:36 32,768 --a------ C:\WINNT\unstall.exe
2006-10-05 21:36 32,768 --a------ C:\WINNT\DXCecho.exe
2006-10-05 21:36 217,276 --a------ C:\WINNT\srvzzlrfpx.exe
2006-10-05 21:36 147,456 --a------ C:\WINNT\aff_0006.exe
2006-10-05 21:36 131,072 --a------ C:\WINNT\system32\qirhg.dll
2006-10-05 21:36 1,233 --a------ C:\WINNT\system32\qqg638dd.sys
2006-10-05 21:35 433,636 --a------ C:\WINNT\hancermm.exe
2006-10-05 21:35 40,973 ---hs---- C:\WINNT\system32\yayawxw.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-09 18:39 -------- d-------- C:\Program Files\Common Files
2006-10-09 18:35 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-10-08 19:50 -------- d-------- C:\Program Files\HijackThis
2006-10-08 19:01 -------- d-------- C:\Program Files\Internet Explorer
2006-10-06 07:44 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-10-06 07:42 -------- d-------- C:\Program Files\Grisoft
2006-10-05 21:58 -------- d-------- C:\Program Files\The Cleaner
2006-10-05 21:37 -------- d-------- C:\Program Files\PSDream
2006-10-05 21:36 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-10-05 21:36 -------- d-------- C:\Program Files\Messenger
2006-10-05 21:35 -------- d-------- C:\Program Files\mm
2006-09-24 15:59 -------- d-------- C:\Program Files\Audacity
2006-08-07 10:17 61440 --a------ C:\WINNT\system32\BattyRun2.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ROBUSTFTP"="C:\\Program Files\\Robusst.ws\\RobustFTP\\robustftp.exe /STARTUP"
"Sfgbju"="C:\\WINNT\\system32\\?ppPatch\\wucrtupd.exe"
"PSDream"="\"C:\\Program Files\\PSDream\\PSDream.exe\""
"CMFibula"="\"C:\\Program Files\\CMFibula\\CMFibula.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"GWMDMMSG"="GWMDMMSG.exe"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"PROMon.exe"="PROMon.exe"
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINNT\\UpdReg.EXE"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Desksite CMA"="c:\\program files\\desksite\\bin\\cma.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
@=""
"DeskSiteAlert"="C:\\Program Files\\DeskSite\\binex\\DeskSiteAlert.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"RegistryMechanic"=""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"qqg638dd"="RUNDLL32.EXE w243e107.dll,n 005638d800000012243e107"
"ACTX1"="C:\\WINNT\\v1201.exe"
"nzsbizxA"="C:\\WINNT\\nzsbizxA.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Messenger\\pogogu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\MSN Gaming Zone\\mededizu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geedc

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Mon 10/09/2006 18:54:04.31
ComboFix.txt

HIJACK log:
Logfile of HijackThis v1.99.1
Scan saved at 7:20:12 PM, on 10/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\nzsbizxA.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\?ppPatch\wucrtupd.exe
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeskSiteAlert] C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [qqg638dd] RUNDLL32.EXE w243e107.dll,n 005638d800000012243e107
O4 - HKLM\..\Run: [ACTX1] C:\WINNT\v1201.exe
O4 - HKLM\..\Run: [nzsbizxA] C:\WINNT\nzsbizxA.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ROBUSTFTP] C:\Program Files\Robusst.ws\RobustFTP\robustftp.exe /STARTUP
O4 - HKCU\..\Run: [Sfgbju] C:\WINNT\system32\?ppPatch\wucrtupd.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093817663921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136939185984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\nzsbizx.exe (file missing)

#4 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:17 AM

Posted 10 October 2006 - 04:01 AM

Hi, lets continue:

Step 1:
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Step 2:
Download KillBox
Unzip the folder to your desktop.* Start Killbox.exe
* Select the Delete on Reboot option.
* Click on the All Files button.
* Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:
C:\WINNT\knvpnwct.exe
C:\WINNT\system32\geedc.dll
C:\WINNT\cfg32s.dll
C:\WINNT\cfg32p.dll
C:\WINNT\cfg32o.dll
C:\WINNT\cfg32r.dll
C:\WINNT\nzsbizxA.exe
C:\WINNT\srvtiehiwb.exe
C:\WINNT\unstall.exe
C:\WINNT\DXCecho.exe
C:\WINNT\srvzzlrfpx.exe
C:\WINNT\aff_0006.exe
C:\WINNT\system32\qirhg.dll
C:\WINNT\system32\qqg638dd.sys
C:\WINNT\hancermm.exe
C:\WINNT\system32\yayawxw.dll
C:\WINNT\system32\BattyRun2.dll
C:\Program Files\mm
C:\Program Files\PSDream
  • Go to the File menu of Killbox, and choose Paste from Clipboard.
    NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
  • Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt.
    Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
Post this log in your next reply.

Step 3:
Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as fix.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sfgbju"=-
"PSDream"=-
"CMFibula"=-

 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qqg638dd"=-
"ACTX1"=-
"nzsbizxA"=-
Now Locate and DoubleClick fix.reg-> Allow it to merge into the Registry!

Step 4:
Rerun Combofix.

Step 5:
In your next reply, please include the following logs: Vundofix-log, Fresh Hijackthis, Combofix-log and Killbox report. Thanks.

#5 ddscott

ddscott
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 11 October 2006 - 10:15 PM

Kairis:

I think I still have pop-ups! I appreciate all your work. Is there anything else that could be wrong? Here is the logs you need...

VundoFix V6.2.1

Checking Java version...

Scan started at 9:37:23 PM 10/11/2006

Listing files found while scanning....

C:\WINNT\system32\geedc.dll
C:\WINNT\system32\cdeeg.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\geedc.dll
C:\WINNT\system32\geedc.dll Has been deleted!

Attempting to delete C:\WINNT\system32\cdeeg.ini
C:\WINNT\system32\cdeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 9:50:04 PM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\nzsbizxA.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\?ppPatch\wucrtupd.exe
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINNT\cfg32r.dll
O2 - BHO: (no name) - {8EC2CD97-5A9F-482A-9086-27A49C058869} - C:\WINNT\system32\geedc.dll (file missing)
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINNT\cfg32o.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeskSiteAlert] C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [qqg638dd] RUNDLL32.EXE w243e107.dll,n 005638d800000012243e107
O4 - HKLM\..\Run: [ACTX1] C:\WINNT\v1201.exe
O4 - HKLM\..\Run: [nzsbizxA] C:\WINNT\nzsbizxA.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ROBUSTFTP] C:\Program Files\Robusst.ws\RobustFTP\robustftp.exe /STARTUP
O4 - HKCU\..\Run: [Sfgbju] C:\WINNT\system32\?ppPatch\wucrtupd.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093817663921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136939185984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\nzsbizx.exe (file missing)

Pocket Killbox version 2.0.0.648
Running on Windows XP as Owner(Administrator)
was started @ Wednesday, October 11, 2006, 9:54 PM

# 1 [Delete on Reboot]
Path = C:\WINNT\knvpnwct.exe


# 2 [Delete on Reboot]
Path = C:\WINNT\cfg32s.dll


# 3 [Delete on Reboot]
Path = C:\WINNT\cfg32p.dll


# 4 [Delete on Reboot]
Path = C:\WINNT\cfg32o.dll


# 5 [Delete on Reboot]
Path = C:\WINNT\cfg32r.dll


# 6 [Delete on Reboot]
Path = C:\WINNT\nzsbizxA.exe


# 7 [Delete on Reboot]
Path = C:\WINNT\srvtiehiwb.exe


# 8 [Delete on Reboot]
Path = C:\WINNT\unstall.exe


# 9 [Delete on Reboot]
Path = C:\WINNT\DXCecho.exe


# 10 [Delete on Reboot]
Path = C:\WINNT\srvzzlrfpx.exe


# 11 [Delete on Reboot]
Path = C:\WINNT\aff_0006.exe


# 12 [Delete on Reboot]
Path = C:\WINNT\system32\qirhg.dll


# 13 [Delete on Reboot]
Path = C:\WINNT\system32\qqg638dd.sys


# 14 [Delete on Reboot]
Path = C:\WINNT\hancermm.exe


# 15 [Delete on Reboot]
Path = C:\WINNT\system32\yayawxw.dll


# 16 [Delete on Reboot]
Path = C:\WINNT\system32\BattyRun2.dll


# 17 [Delete on Reboot]
Path = C:\Program Files\mm


# 18 [Delete on Reboot]
Path = C:\Program Files\PSDream


I Rebooted @ 9:56:26 PM
Killbox Closed(Exit) @ 9:56:29 PM
__________________________________________________

Pocket Killbox version 2.0.0.473
Running on Windows XP As an Administrator
was started @ Wednesday, October 11, 2006, 10:00 PM

Killbox Closed(Exit) @ 10:00:21 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Owner(Administrator)
was started @ Wednesday, October 11, 2006, 10:01 PM

Owner - 06-10-11 22:06:34.75 Service Pack 2
ComboFix 06.10.11 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\SCURIT~1
C:\QooBox\Purity\Program Files\SCURIT~1\s?curity


((((((((((((((((((((((((((((((( Files Created from 2006-09-11 to 2006-10-11 ))))))))))))))))))))))))))))))))))


2006-10-09 19:20 32,768 --a------ C:\WINNT\vifupauv.exe
2006-10-06 07:43 776,096 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-10-06 07:43 4,288 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2006-10-06 07:43 27,776 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-10-06 07:43 23,424 --a------ C:\WINNT\system32\drivers\avgmfrs.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-11 22:06 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-10-11 21:49 -------- d-------- C:\Program Files\HijackThis
2006-10-09 18:39 -------- d-------- C:\Program Files\Common Files
2006-10-08 19:01 -------- d-------- C:\Program Files\Internet Explorer
2006-10-06 07:44 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-10-06 07:42 -------- d-------- C:\Program Files\Grisoft
2006-10-05 21:58 -------- d-------- C:\Program Files\The Cleaner
2006-10-05 21:37 -------- d-------- C:\Program Files\PSDream
2006-10-05 21:36 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-10-05 21:36 -------- d-------- C:\Program Files\Messenger
2006-10-05 21:35 -------- d-------- C:\Program Files\mm
2006-09-24 15:59 -------- d-------- C:\Program Files\Audacity


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ROBUSTFTP"="C:\\Program Files\\Robusst.ws\\RobustFTP\\robustftp.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"GWMDMMSG"="GWMDMMSG.exe"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"PROMon.exe"="PROMon.exe"
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINNT\\UpdReg.EXE"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Desksite CMA"="c:\\program files\\desksite\\bin\\cma.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
@=""
"DeskSiteAlert"="C:\\Program Files\\DeskSite\\binex\\DeskSiteAlert.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"RegistryMechanic"=""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Messenger\\pogogu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\MSN Gaming Zone\\mededizu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Wed 10/11/2006 22:08:28.98
ComboFix.txt
ComboFix2.txt

Logfile of HijackThis v1.99.1
Scan saved at 10:10:26 PM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\?ppPatch\wucrtupd.exe
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfg32p.dll (file missing)
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINNT\cfg32r.dll (file missing)
O2 - BHO: (no name) - {8EC2CD97-5A9F-482A-9086-27A49C058869} - C:\WINNT\system32\geedc.dll (file missing)
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINNT\cfg32o.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeskSiteAlert] C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ROBUSTFTP] C:\Program Files\Robusst.ws\RobustFTP\robustftp.exe /STARTUP
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093817663921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136939185984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\nzsbizx.exe (file missing)

#6 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:17 AM

Posted 12 October 2006 - 01:29 AM

Hi and thanks for the logs. Go ahead and uninstall Vundofix and Killbox.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Norton AntiVirus Client or AVG7
Step 1:
With all other windows closed, start your HijackThis and Click "Do a System Scan Only"
Click in the check-box to the left of each of the following entries, if found:
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfg32p.dll (file missing)
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINNT\cfg32r.dll (file missing)
O2 - BHO: (no name) - {8EC2CD97-5A9F-482A-9086-27A49C058869} - C:\WINNT\system32\geedc.dll (file missing)
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINNT\cfg32o.dll (file missing)

Select Fix Checked

Step2:
Make sure that you can see hidden files.
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
Using Windows Explorer (Windows Key + E), locate the following files/folders, and DELETE them (if still present):
C:\WINNT\vifupauv.exe<==File

Step 3:
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Step 4:
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
  • Scan Options:
    Scan Archives
    Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
    Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#7 ddscott

ddscott
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 15 October 2006 - 04:14 PM

I couldnt get past the accept/decline page on the web scan. here is the smitfraudfix and hijack logs:
Logfile of HijackThis v1.99.1
Scan saved at 4:09:40 PM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeskSiteAlert] C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ROBUSTFTP] C:\Program Files\Robusst.ws\RobustFTP\robustftp.exe /STARTUP
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093817663921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136939185984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\nzsbizx.exe (file missing)

SmitFraudFix v2.109

Scan done at 16:03:43.65, Sun 10/15/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\WINNT\system32\LogFiles


C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Messenger\\pogogu.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\MSN Gaming Zone\\mededizu.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

#8 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:17 AM

Posted 16 October 2006 - 01:45 AM

We need to temporary disable SpySweeper that it doesn't prevent fixes:1. Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
2. On the left click "shields" and then uncheck everything there.
3. Uncheck "home page shield".
4. Uncheck "automatically restore default without notification".
5. Exit the program.
Then download Dr.Web CureIt to your desktop:
  • Double-click the drweb-cureit.exe file and allow it to run the express scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow > to the right and the scan will begin.
  • At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, click the "Select all/select none" toggle button (if available) next to the files found: Posted Image
  • Then click the green cup icon right below
    and select Move incurable as you'll see in next image:
    Posted Image
    This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).
  • Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.
  • After the restart, post the contents of the Dr.Web.csv log file which you saved.
With all other windows closed, start your HijackThis and Click "Do a System Scan Only"
Click in the check-box to the left of each of the following entries, if found:
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
Select Fix Checked

In your next reply, please include the following logs: Fresh Hijackthis, and Dr.Web report. Thanks.

#9 ddscott

ddscott
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 19 October 2006 - 07:15 PM

Here are the fresh Hijack logs and DrWeb logs. Thanks for your continued help.

Logfile of HijackThis v1.99.1
Scan saved at 7:08:53 PM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeskSiteAlert] C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ROBUSTFTP] C:\Program Files\Robusst.ws\RobustFTP\robustftp.exe /STARTUP
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093817663921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136939185984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\nzsbizx.exe (file missing)

DrWeb.cvs

pogogu.html\Javascript.0;c:\program files\messenger\pogogu.html;Trojan.Click.1237;;
pogogu.html;c:\program files\messenger;Archive contains infected objects;Moved.;
mededizu.html\Javascript.0;c:\program files\msn gaming zone\mededizu.html;Trojan.Click.1237;;
mededizu.html;c:\program files\msn gaming zone;Archive contains infected objects;Moved.;
aff_0006.exe;C:\!KillBox;Adware.Ykemi;Incurable.Moved.;
cfg32o.dll;C:\!KillBox;Adware.BookedSpace;Incurable.Moved.;
cfg32p.dll;C:\!KillBox;Adware.BookedSpace;Incurable.Moved.;
cfg32r.dll;C:\!KillBox;Adware.BookedSpace;Incurable.Moved.;
cfg32s.dll;C:\!KillBox;Adware.BookedSpace;Incurable.Moved.;
DXCecho.exe;C:\!KillBox;Adware.Surfside;Incurable.Moved.;
knvpnwct.exe;C:\!KillBox;Adware.BookedSpace;Incurable.Moved.;
qirhg.dll;C:\!KillBox;Adware.ClickSpring;Incurable.Moved.;
TopSearch.exe;C:\!KillBox;Adware.TopSearch;Incurable.Moved.;
unstall.exe;C:\!KillBox;Adware.MediaMotor;Incurable.Moved.;
AutoSearch.dll;C:\Documents and Settings\All Users\Application Data;Adware.Ykemi;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
installdrivecleanerstart[1].exe;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5CSH07NI;Trojan.DownLoader.13909;Deleted.;
popup[1].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AIMD8ZV9;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GB9VYYZ5;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ISHUVK01;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ISHUVK01;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MFK9UXKJ;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK55Z04O;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK55Z04O;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OD2ZC967;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QN8FUBMD;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UHQ50H4Z;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UHQ50H4Z;Trojan.Click.1394;Deleted.;
cleaner.log;C:\Program Files\Microsoft AntiSpyware;Probably MACRO.SCRIPT.IRC.WORM.Virus;Incurable.Moved.;
221112BC-C822-4D7A-A08C-3D8484;C:\Program Files\Microsoft AntiSpyware\Quarantine\0E8ECF26-2887-4AE0-9015-6AD702;Adware.NavHelper;Incurable.Moved.;
49AA3FF5-27AC-4486-8480-C748DC;C:\Program Files\Microsoft AntiSpyware\Quarantine\0E8ECF26-2887-4AE0-9015-6AD702;Adware.NavHelper;Incurable.Moved.;
EC107576-15A2-4560-A497-7C6D13;C:\Program Files\Microsoft AntiSpyware\Quarantine\0E8ECF26-2887-4AE0-9015-6AD702;Adware.NavHelper;Incurable.Moved.;
5455D7D0-9EDE-4A00-8DFB-405B8D\data001;C:\Program Files\Microsoft AntiSpyware\Quarantine\7317CE9E-C2B3-4FB5-972E-6776C5\5455D7D0-9EDE-4A00-8DFB-405B8D;Adware.PeerNet;;
5455D7D0-9EDE-4A00-8DFB-405B8D;C:\Program Files\Microsoft AntiSpyware\Quarantine\7317CE9E-C2B3-4FB5-972E-6776C5;Archive contains infected objects;Moved.;
D864287A-ADDA-4018-A633-F8B55C\data001;C:\Program Files\Microsoft AntiSpyware\Quarantine\7317CE9E-C2B3-4FB5-972E-6776C5\D864287A-ADDA-4018-A633-F8B55C;Adware.PeerNet;;
D864287A-ADDA-4018-A633-F8B55C;C:\Program Files\Microsoft AntiSpyware\Quarantine\7317CE9E-C2B3-4FB5-972E-6776C5;Archive contains infected objects;Moved.;
054EF6EA-79BB-46C1-8326-F8D776\data001;C:\Program Files\Microsoft AntiSpyware\Quarantine\D0F25417-6BED-4398-9A7F-DFEE03\054EF6EA-79BB-46C1-8326-F8D776;Adware.PeerNet;;
054EF6EA-79BB-46C1-8326-F8D776;C:\Program Files\Microsoft AntiSpyware\Quarantine\D0F25417-6BED-4398-9A7F-DFEE03;Archive contains infected objects;Moved.;
MY2NS.EXE;C:\Program Files\MyWay\myBar\1.bin;Adware.MyWay;Incurable.Moved.;
PSDream.exe;C:\Program Files\PSDream;Adware.SearchAid;Incurable.Moved.;
Dc1.exe;C:\RECYCLER\S-1-5-21-3233042676-1685927933-429115175-1003;Adware.BookedSpace;Incurable.Moved.;
A0060974.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP669;BackDoor.Generic.1372;Deleted.;
A0060975.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP669;BackDoor.Generic.1372;Deleted.;
A0060986.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP669;Adware.Surfside;Incurable.Moved.;
A0060987.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP669;Adware.Surfside;Incurable.Moved.;
A0060988.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP669;Adware.Surfside;Incurable.Moved.;
A0060989.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP669;Adware.Surfside;Incurable.Moved.;
A0060991.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP669;Adware.Surfside;Incurable.Moved.;
A0061331.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.BookedSpace;Incurable.Moved.;
A0061332.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.BookedSpace;Incurable.Moved.;
A0061335.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Bagon;Incurable.Moved.;
A0061336.exe\data001;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671\A0061336.exe;Adware.ClickSpring;;
A0061336.exe\data002;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671\A0061336.exe;Adware.ClickSpring;;
A0061336.exe\data003;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671\A0061336.exe;Trojan.PurityAd;;
A0061336.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Archive contains infected objects;Moved.;
A0061342.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Trojan.DnsChange;Deleted.;
A0061472.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Casclient;Incurable.Moved.;
A0061473.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Casclient;Incurable.Moved.;
A0061474.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Axfibula;Incurable.Moved.;
A0061475.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Trojan.Proxy.493;Deleted.;
A0061476.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Trojan.Proxy.493;Deleted.;
A0061477.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Look2me;Incurable.Moved.;
A0061478.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Look2me;Incurable.Moved.;
A0061479.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Look2me;Incurable.Moved.;
A0061491.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Ucmore;Incurable.Moved.;
A0061492.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Look2me;Incurable.Moved.;
A0061493.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Ykemi;Incurable.Moved.;
A0061494.exe\data001;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671\A0061494.exe;Adware.Bagon;;
A0061494.exe\data002;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671\A0061494.exe;Adware.Bagon;;
A0061494.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Archive contains infected objects;Moved.;
A0061573.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.BookedSpace;Incurable.Moved.;
A0061574.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.BookedSpace;Incurable.Moved.;
A0061575.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.BookedSpace;Incurable.Moved.;
A0061576.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.BookedSpace;Incurable.Moved.;
A0061577.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.BookedSpace;Incurable.Moved.;
A0061580.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.MediaMotor;Incurable.Moved.;
A0061581.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Surfside;Incurable.Moved.;
A0061583.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.Ykemi;Incurable.Moved.;
A0061584.dll;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP671;Adware.ClickSpring;Incurable.Moved.;
motorsix.ocx;C:\WINNT;Adware.MediaMotor;Incurable.Moved.;
remove.exe;C:\WINNT\browserxtras\pn;Trojan.MulDrop.1065;Incurable.Moved.;

#10 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:17 AM

Posted 20 October 2006 - 03:10 AM

Looks good! Your log is clean!
You can delete all of the tools that I had you download for us to use.
Clean your Cache and Cookies in IE:
Close all instances of Outlook Express and Internet Explorer *Close all instances of Outlook Express and Internet Explorer
*Go to Control Panel > Internet Options > General tab
*Click the "Delete Cookies" button
*Next to it, Click the "Delete Files" button
*When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): *Go to Tools > Options.
*Click Privacy in the menu on the left side of the Options window.
*Click the Clear button located to the right of each option (History, Cookies, Cache).
*Click OK to close the Options windowAlternatively, you can clear all information stored while browsing by clicking Clear All. A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin *Go to start > run and type: cleanmgr and click ok.
*Let it scan your system for files to remove.
*Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
*Press OK to remove them.
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and enable system restore to make sure there are no infected files found in a restore point.
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!
How the system running now?

#11 ddscott

ddscott
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 23 October 2006 - 08:07 PM

Kairis:

Thanks for all your help! Things seem to be working fine. I appreciate the time and help.

I will be back with questions when needed!

Thanks again,
Dylan

#12 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:17 AM

Posted 25 October 2006 - 08:17 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users