Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help, Hijacked


  • This topic is locked This topic is locked
12 replies to this topic

#1 jetusus

jetusus

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 10 October 2006 - 10:33 PM

I have been bombarded with a barrage of pop ups from the likes of Party Poker, and many more. I have downloded and ran Adaware,Spybot,Trend,Stinger, and yet still pops up, and other wierd stuff. I have downloaded HijackThis and did a scan and have recorded the log ( i'm not that much of a pro to read and fix this ) just wondering if some could help me . I'm running Win xp.

thanks


Jetusus


Logfile of HijackThis v1.99.1
Scan saved at 11:28:16 PM, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\kybrdff_e26.exe
C:\Program Files\Common Files\{320D180E-05DA-1033-0803-040517200001}\Update.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\stng260.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e26.exe
O4 - HKCU\..\Run: [WinMedia] C:\tyeoh3584.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00026.exe"
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...4YYGB_undefined
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160364629046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\n46q0ej5eho.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:09 PM

Posted 13 October 2006 - 07:08 AM

Hi jetusus, you're infected.

One of the infections is a keylogger (program that logs keystrokes). If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

You should print these instructions or save these to a text file. Follow these instructions carefully.

1. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

3. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do itís job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows.

4.When normal mode:
  • Download this file - combofix.exe
  • Double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 jetusus

jetusus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 14 October 2006 - 09:05 PM

HI Mr_JAk3,

I've performed exactly as you have instructed and here is the ComBoFix Log and and a nw HijackThis log.


user - 06-10-14 21:45:40.04 Service Pack 2
ComboFix 06.10.14.1 - Running from: "C:\BFU"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{5E501F0C-0B91-46A2-9A39-D2B584AAC9F0}]
@=""

[HKEY_CLASSES_ROOT\clsid\{5E501F0C-0B91-46A2-9A39-D2B584AAC9F0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{5E501F0C-0B91-46A2-9A39-D2B584AAC9F0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{5E501F0C-0B91-46A2-9A39-D2B584AAC9F0}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{47E139E0-8F7B-4D22-B0C7-E30FD6159D36}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{47E139E0-8F7B-4D22-B0C7-E30FD6159D36}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{47E139E0-8F7B-4D22-B0C7-E30FD6159D36}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{47E139E0-8F7B-4D22-B0C7-E30FD6159D36}\InprocServer32]
@="C:\\WINDOWS\\system32\\ctmsvcs.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{1F9DCF11-82D3-402C-BB27-EF9523316878}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{1F9DCF11-82D3-402C-BB27-EF9523316878}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{1F9DCF11-82D3-402C-BB27-EF9523316878}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{1F9DCF11-82D3-402C-BB27-EF9523316878}\InprocServer32]
@="C:\\WINDOWS\\system32\\mxc40u.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{C3115BAD-AECE-45C5-B3F8-82496D15FE4C}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C3115BAD-AECE-45C5-B3F8-82496D15FE4C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{C3115BAD-AECE-45C5-B3F8-82496D15FE4C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C3115BAD-AECE-45C5-B3F8-82496D15FE4C}\InprocServer32]
@="C:\\WINDOWS\\system32\\lgk.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{34CFCB17-9BFA-453A-A757-C9F6A11A245A}]
@=""

[HKEY_CLASSES_ROOT\clsid\{34CFCB17-9BFA-453A-A757-C9F6A11A245A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{34CFCB17-9BFA-453A-A757-C9F6A11A245A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{34CFCB17-9BFA-453A-A757-C9F6A11A245A}\InprocServer32]
@="C:\\WINDOWS\\system32\\crnfmsp.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{F7064D51-780D-40C3-9E99-EC6192F11AC1}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F7064D51-780D-40C3-9E99-EC6192F11AC1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{F7064D51-780D-40C3-9E99-EC6192F11AC1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F7064D51-780D-40C3-9E99-EC6192F11AC1}\InprocServer32]
@="C:\\WINDOWS\\system32\\iixmontr.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\lvrq0995e.dll
C:\WINDOWS\system32\g0lmla311d.dll
C:\WINDOWS\system32\enl4l13q1.dll
C:\WINDOWS\system32\in32_32.dll
C:\WINDOWS\system32\g8220ifoe82c0.dll
C:\WINDOWS\system32\lvn2095oe.dll
C:\WINDOWS\system32\iixmontr.dll
C:\WINDOWS\system32\enj6l11s1.dll
C:\WINDOWS\system32\MHC71ITA.DLL
C:\WINDOWS\system32\rZsppp.dll
C:\WINDOWS\system32\tRpi.dll
C:\WINDOWS\system32\guard.tmp_tobedeleted


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dxclib303562752.dll
C:\Documents and Settings\Guest\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Guest\Application Data\Dxcuknwrd.dll
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
C:\Program Files\DeluxeCommunications\Dxc.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aaa00000.sys
C:\Program Files\Deskbar
C:\Program Files\Common Files\{320D180E-05DA-1033-0803-040517200001}


((((((((((((((((((((((((((((((( Files Created from 2006-09-14 to 2006-10-14 ))))))))))))))))))))))))))))))))))


2006-10-10 20:42 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-10 20:29 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-10-08 23:22 3,584 -r-hs---- C:\tyeoh3584.exe
2006-10-06 16:13 32,768 --a------ C:\DXC9.exe
2006-10-06 16:13 217,276 --a------ C:\WINDOWS\srvoskfjoh.exe
2006-10-05 22:24 115,947 --a------ C:\Documents and Settings\user\mny.exe
2006-10-05 22:24 115,712 --a------ C:\Documents and Settings\user\c.exe
2006-10-05 22:22 0 -r--s---- C:\WINDOWS\system32\hrrq0595e.dll
2006-10-05 22:11 1,465 --a------ C:\ovvpecjh.exe
2006-10-05 22:11 1,233 --a------ C:\WINDOWS\system32\aef63407.sys
2006-10-05 22:10 76,800 --a------ C:\ccreenfd.exe
2006-10-05 22:10 115,947 --a------ C:\WINDOWS\system32\mny.exe
2006-10-05 22:10 115,712 --a------ C:\WINDOWS\system32\c.exe
2006-10-01 16:21 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-10-01 16:20 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-10-01 16:20 44,544 --a------ C:\WINDOWS\system32\OVUI2.dll
2006-10-01 16:20 41,984 --a------ C:\WINDOWS\system32\OVUI2RC.dll
2006-10-01 16:20 39,424 --a------ C:\WINDOWS\system32\OVComS.exe
2006-10-01 16:20 351,616 --a------ C:\WINDOWS\system32\drivers\OVCodek2.sys
2006-10-01 16:20 28,032 --a------ C:\WINDOWS\system32\drivers\OVCD.sys
2006-10-01 16:20 20,480 --a------ C:\WINDOWS\system32\OVComC.dll
2006-10-01 16:20 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-10-01 16:20 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-10-01 16:20 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-10-01 16:20 116,736 --a------ C:\WINDOWS\system32\OVCodec2.dll
2006-10-01 16:20 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-10-01 16:20 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-10-01 16:19 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-10-01 16:19 48,000 --a------ C:\WINDOWS\system32\drivers\OVCam2.sys
2006-09-21 18:11 991,232 --a------ C:\WINDOWS\system32\W22MLRES.DLL
2006-09-15 17:21 53,248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 17:16 53,248 --a------ C:\WINDOWS\uni_e6h.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-08-21 05:14 128896 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LaunchApp"="Alaunch"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinLogon"="C:\\WINDOWS\\logon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://img.bleepingcomputer.com/navbars/home-navbar.gif"
"SubscribedURL"="http://img.bleepingcomputer.com/navbars/home-navbar.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,10,03,00,00,15,01,00,00,ee,02,00,00,6b,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:14,6d,56,06,41,c0,b4,74,28,11,66,02,68,de,56,06,20,6d,\
56,06,28,c5,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,52,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 4.0.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax DllCmd 4.0.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax DllCmd 4.0.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.0\\J2GDLL~1.EXE /R"
"item"="eFax DllCmd 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax Tray Menu 4.0.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax Tray Menu 4.0.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.0\\J2GTray.exe "
"item"="eFax Tray Menu 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Image Zone Fast Start.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Image Zone Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Image Zone Fast Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Status Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\Status Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Brother\\Brmfcmon\\BrMfcWnd.exe Brother MFC-5440CN /STARTUP"
"item"="Status Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^PaperMaster Live Menu 7.0.lnk]
"path"="C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\PaperMaster Live Menu 7.0.lnk"
"backup"="C:\\WINDOWS\\pss\\PaperMaster Live Menu 7.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\PAPERM~1.0\\J2GDLL~1.EXE /R /K \"C:\\Program Files\\PaperMaster Pro 7.0\\J2GPfcW.dll\",JSPFCWSetHooking,1,0,0,0"
"item"="PaperMaster Live Menu 7.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^PaperMaster Tray Menu 7.0.lnk]
"path"="C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\PaperMaster Tray Menu 7.0.lnk"
"backup"="C:\\WINDOWS\\pss\\PaperMaster Tray Menu 7.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\PAPERM~1.0\\J2GTray.exe "
"item"="PaperMaster Tray Menu 7.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rundll32"
"hkey"="HKLM"
"command"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="brctrcen"
"hkey"="HKLM"
"command"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPM-DM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="epm-dm"
"hkey"="HKLM"
"command"="c:\\acer\\epm\\epm-dm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePowerManagement]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ePM"
"hkey"="HKLM"
"command"="C:\\Acer\\ePM\\ePM.exe boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb07"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon04"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hphmon04.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphupd04"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IndexSearch"
"hkey"="HKLM"
"command"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbkbmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QtZgAcer"
"hkey"="HKLM"
"command"="C:\\Program Files\\Launch Manager\\QtZgAcer.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mwsoemon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pptd40nt"
"hkey"="HKLM"
"command"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCMAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QBCMAgent"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intuit\\QuickBooks Client Manager\\QBCMAgent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SSBkgdupdate"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSHIBA VOIP Phone]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TOSHIBAVOIPPhone"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\VOIP Phone\\TOSHIBAVOIPPhone.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-14 21:48:50.92
C:\ComboFix.txt ... 06-10-14 21:48














Logfile of HijackThis v1.99.1
Scan saved at 10:00:47 PM, on 10/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...4YYGB_undefined
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00330010-0000-0000-0000-000020160010} - http://207.234.185.217/ABoxInst_int25.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160364629046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:09 PM

Posted 15 October 2006 - 05:03 AM

Hi again, we'll continue :thumbsup:

1. Download gmer from http://www.gmer.net
2. Save it somewhere safe & unzip it to desktop
3. Double click the gmer.exe to run it and select the rootkit tab, press scan
4. When it has finished, right-click the entry highlighted in red - [System] pe386
5. Select 'Delete the service' & then reboot your machine.

Posted Image

6. Double click the gmer.exe to run it and select the rootkit tab, press scan
7. Once done, click the Copy button. This will copy the results to your clipboard.
9. Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

Edited by Mr_JAk3, 15 October 2006 - 05:03 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 jetusus

jetusus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 16 October 2006 - 10:05 PM

Hi,

I've done exactly what you have told me.




GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-16 23:01:37
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.11 ----

Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CREATE [F9DC3C98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CLOSE [F9DC3C98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_DEVICE_CONTROL [F9DC34A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_INTERNAL_DEVICE_CONTROL [F9DC33D2] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_POWER [F9DC3386] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_SYSTEM_CONTROL [F9DC34A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_PNP [F9DC3E88] SMBCLASS.SYS

---- EOF - GMER 1.0.11 ----

#6 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:09 PM

Posted 17 October 2006 - 01:54 AM

Hi again :thumbsup:

You were able to remove that "[System] pe386" without any problems, rigth ?

Please post a fresh HijackThis log and we'll continue :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#7 jetusus

jetusus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 18 October 2006 - 08:55 PM

Idid seem to have removed "[System] pe386" without any problems.





Logfile of HijackThis v1.99.1
Scan saved at 9:50:17 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...4YYGB_undefined
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00330010-0000-0000-0000-000020160010} - http://207.234.185.217/ABoxInst_int25.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160364629046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#8 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:09 PM

Posted 19 October 2006 - 07:28 AM

HI again, we'll continue :thumbsup:

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.

Then, make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Copy the following filenames to a Notepad file and save it to your desktop! We will need the file later.

C:\tyeoh3584.exe
C:\DXC9.exe
C:\WINDOWS\srvoskfjoh.exe
C:\Documents and Settings\user\mny.exe
C:\Documents and Settings\user\c.exe
C:\WINDOWS\system32\hrrq0595e.dll
C:\ovvpecjh.exe
C:\WINDOWS\system32\aef63407.sys
C:\ccreenfd.exe
C:\WINDOWS\system32\mny.exe
C:\WINDOWS\system32\c.exe
C:\WINDOWS\uninst108.exe
C:\WINDOWS\uni_e6h.exe
C:\WINDOWS\logon.exe


==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following programs if found:

PartyPoker
MyWebSearch


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WinLogon"=-


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...4YYGB_undefined
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {00330010-0000-0000-0000-000020160010} - http://207.234.185.217/ABoxInst_int25.exe
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll


Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Once in Safe Mode, please run Killbox.
Select "Delete on Reboot".
Select "All Files".

Open the text file with the filenames in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart the computer to the safe mode again.

Go to the My Computer and delete the following folders (if present):
C:\Program Files\PartyGaming
C:\Program Files\MyWebSearch

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, post the following logs to here:
- AVG's report
- a fresh HijackThis log

Edited by Mr_JAk3, 19 October 2006 - 07:29 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#9 jetusus

jetusus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 24 October 2006 - 11:13 PM

Here it is.




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:56:49 PM 10/24/2006

+ Scan result:



C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP256\A0154101.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP256\A0154102.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157723.DLL -> Adware.IWon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154162.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154179.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154190.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154196.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154207.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0157211.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157638.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157645.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157668.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157682.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157683.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157694.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157695.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157748.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157749.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157773.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157791.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157803.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157808.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157812.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157817.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157820.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157845.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157850.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157876.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157877.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157878.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157879.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157880.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157881.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157882.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157883.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157884.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157885.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157886.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157728.EXE -> Adware.MyWebSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0153914.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0153915.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0153945.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0153947.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0154022.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0154023.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP256\A0154095.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154115.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154125.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154156.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154157.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154158.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154167.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154168.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154169.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154185.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0155213.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0155214.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0157213.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0157214.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157651.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157781.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157782.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157826.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157838.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157840.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157859.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157874.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157875.DLL -> Adware.Softomate : Cleaned with backup (quarantined).
HKU\S-1-5-21-4169927837-2544305661-1147235644-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8B28872-3324-4CD2-8AA3-7D555C872D96} -> Adware.Softomate : Cleaned with backup (quarantined).
C:\!KillBox\DXC9.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\iB.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\u15.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\u17.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\u18.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157863.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157866.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157867.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157868.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP261\A0161146.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157746.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157746.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157746.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP256\A0154104.exe -> Adware.Zestyfind : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154121.rbf -> Backdoor.MSNMaker.z : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\Temporary Internet Files\Content.IE5\OD89KRC9\loader[1].exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0153913.exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0153951.exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0154013.exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0154025.exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154177.exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0154204.exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0155217.exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0157212.exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157654.exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157736.exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157827.exe -> Downloader.Adload.gg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157828.exe -> Downloader.Adload.gg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157831.exe -> Downloader.Adload.gg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157835.exe -> Downloader.Adload.gg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157703.exe -> Downloader.Adload.gm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157833.exe -> Downloader.Adload.gn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157704.exe -> Downloader.Adload.go : Cleaned with backup (quarantined).
C:\nwnmff_e26.exe_tobedeleted -> Downloader.Adload.go : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157666.dll -> Downloader.Agent.awb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157743.exe -> Downloader.Agent.azc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157770.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP258\A0157712.DLL -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\!KillBox\ovvpecjh.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0153928.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0153961.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP255\A0154035.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP257\A0157324.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP261\A0161151.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\!KillBox\tyeoh3584.exe -> Downloader.Tiny.cl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP261\A0161145.exe -> Downloader.Tiny.cl : Cleaned with backup (quarantined).
C:\bintheredunthat\ms058926839712006.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lzx32.sys -> Hijacker.Costrat.n : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Program Files\MSN\vinonyle.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\Temporary Internet Files\Content.IE5\OD89KRC9\send_car_int[2].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\Temporary Internet Files\Content.IE5\WXM7SHEV\send_ocx_sof[2].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP259\A0157771.exe -> Trojan.Sinowal.az : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00027.dll -> Trojan.Sinowal.be : Cleaned with backup (quarantined).
C:\!KillBox\uninst108.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP261\A0161156.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end










Logfile of HijackThis v1.99.1
Scan saved at 12:09:18 AM, on 10/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...4YYGB_undefined
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160364629046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#10 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:09 PM

Posted 25 October 2006 - 01:27 AM

Hi again, we'll continue :thumbsup:

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

Then:
  • Download this file - combofix.exe
  • Double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

UNITE & ASAP member since 2006
Posted Image
Posted Image

#11 jetusus

jetusus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 25 October 2006 - 06:24 PM

Here it is, and i really thank you for helping me. I will changed passwords and notify institutions.





user - 06-10-25 19:14:47.90 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\user\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-25 to 2006-10-25 ))))))))))))))))))))))))))))))))))


2006-10-19 22:58 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-10 20:42 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-10 20:29 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-10-01 16:21 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-10-01 16:20 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-10-01 16:20 44,544 --a------ C:\WINDOWS\system32\OVUI2.dll
2006-10-01 16:20 41,984 --a------ C:\WINDOWS\system32\OVUI2RC.dll
2006-10-01 16:20 39,424 --a------ C:\WINDOWS\system32\OVComS.exe
2006-10-01 16:20 351,616 --a------ C:\WINDOWS\system32\drivers\OVCodek2.sys
2006-10-01 16:20 28,032 --a------ C:\WINDOWS\system32\drivers\OVCD.sys
2006-10-01 16:20 20,480 --a------ C:\WINDOWS\system32\OVComC.dll
2006-10-01 16:20 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-10-01 16:20 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-10-01 16:20 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-10-01 16:20 116,736 --a------ C:\WINDOWS\system32\OVCodec2.dll
2006-10-01 16:20 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-10-01 16:20 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-10-01 16:19 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-10-01 16:19 48,000 --a------ C:\WINDOWS\system32\drivers\OVCam2.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51 1245184 --a------ C:\WINDOWS\system32\msxml4.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LaunchApp"="Alaunch"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://img.bleepingcomputer.com/navbars/home-navbar.gif"
"SubscribedURL"="http://img.bleepingcomputer.com/navbars/home-navbar.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,10,03,00,00,15,01,00,00,ee,02,00,00,6b,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:14,6d,56,06,41,c0,b4,74,28,11,66,02,68,de,56,06,20,6d,\
56,06,28,c5,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,52,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 4.0.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax DllCmd 4.0.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax DllCmd 4.0.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.0\\J2GDLL~1.EXE /R"
"item"="eFax DllCmd 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax Tray Menu 4.0.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax Tray Menu 4.0.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.0\\J2GTray.exe "
"item"="eFax Tray Menu 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Image Zone Fast Start.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Image Zone Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Image Zone Fast Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Status Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\Status Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Brother\\Brmfcmon\\BrMfcWnd.exe Brother MFC-5440CN /STARTUP"
"item"="Status Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^PaperMaster Live Menu 7.0.lnk]
"path"="C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\PaperMaster Live Menu 7.0.lnk"
"backup"="C:\\WINDOWS\\pss\\PaperMaster Live Menu 7.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\PAPERM~1.0\\J2GDLL~1.EXE /R /K \"C:\\Program Files\\PaperMaster Pro 7.0\\J2GPfcW.dll\",JSPFCWSetHooking,1,0,0,0"
"item"="PaperMaster Live Menu 7.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^PaperMaster Tray Menu 7.0.lnk]
"path"="C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\PaperMaster Tray Menu 7.0.lnk"
"backup"="C:\\WINDOWS\\pss\\PaperMaster Tray Menu 7.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\PAPERM~1.0\\J2GTray.exe "
"item"="PaperMaster Tray Menu 7.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rundll32"
"hkey"="HKLM"
"command"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="brctrcen"
"hkey"="HKLM"
"command"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPM-DM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="epm-dm"
"hkey"="HKLM"
"command"="c:\\acer\\epm\\epm-dm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePowerManagement]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ePM"
"hkey"="HKLM"
"command"="C:\\Acer\\ePM\\ePM.exe boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb07"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon04"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hphmon04.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphupd04"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IndexSearch"
"hkey"="HKLM"
"command"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbkbmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QtZgAcer"
"hkey"="HKLM"
"command"="C:\\Program Files\\Launch Manager\\QtZgAcer.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pptd40nt"
"hkey"="HKLM"
"command"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCMAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QBCMAgent"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intuit\\QuickBooks Client Manager\\QBCMAgent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SSBkgdupdate"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSHIBA VOIP Phone]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TOSHIBAVOIPPhone"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\VOIP Phone\\TOSHIBAVOIPPhone.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-25 19:15:32.03
C:\ComboFix2.txt ... 06-10-14 21:48
C:\ComboFix.txt ... 06-10-25 19:15








Logfile of HijackThis v1.99.1
Scan saved at 7:21:26 PM, on 10/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...4YYGB_undefined
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160364629046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#12 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:09 PM

Posted 26 October 2006 - 01:11 PM

Hi again, it is looking clean now :thumbsup:
The computer is running fine ?

Fix this leftover with HijackThis:
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...4YYGB_undefined

Reboot, scan again with Hijackthis. if the O8 entry is still there, let me know.

You don't seem to a firewall running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.


These are good (free) firewalls:Now you can clean AVG's Quarantine:
  • Open AVG Anti-Spyware
  • Click Infections
  • Click Quarantine tab
  • Click Select all
  • Click Remove finally
  • Close the program
You can remove the tools that we used during the clening process.
You can delete the following backup folder: C:\!Killbox

Then you should update your Java to the latest version (5.0 update 9)
  • Start
  • Control Panel
  • Add/Remove Programs
  • Delete the old Java, J2SE Runtime Environment 5.0 Update 6
  • Then we'll get the latest version of Java -> LINK
  • Scroll down to Java Runtime Environment (JRE) 5.0 Update 9
  • Download & install it
Now you can make your hidden files hidden again.
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Check "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
=============

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Clear your system restore
    This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  • Use ATF Cleaner
    Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  • Use Ad-Aware
    Download and install Ad-Aware. Update it and scan your computer regularly with it.
  • Use AVG Anti-Spyware
    Update it and scan your computer regularly with it.
  • Use Spybot S&D
    Download and install Spybot S&D. Update it and scan your computer regularly with it.
  • Install SpywareBlaster
    SpywareBlaster will prevent spyware from being installed.
  • Install MVPS Hosts file
    This prevents your computer from connecting to harmful sites.
  • Use Firefox browser
    Firefox is faster, safer and better browser than Internet Explorer.
  • Keep your systen up-to-date
    Visit Windows Update regularly.
  • Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.
  • Read this article by TonyKlein
    So how did I get infected in the first place?
  • Stand Up and Be Counted !
    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)

Edited by Mr_JAk3, 26 October 2006 - 01:12 PM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#13 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:09 PM

Posted 31 October 2006 - 08:36 AM

Hi again, nice that we were able to help :thumbsup:

I have splitted your other log to a new topic, here.

It is easier to handle only one computer in one topic :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users