Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • Please log in to reply
12 replies to this topic

#1 teamneon

teamneon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 04 November 2006 - 09:56 AM

Someone got some nasty viruses on my spare laptop and ive done my best to clean them up with AVG. Ive also removed some obvious hijackthis stuff but need help with the rest.
Alot of my log is from Roboform, which isnt working worth a crap right now. Its not showing up in my ie bar and when i launch it it says ie script error...so ill prob uninstall it and reinstall.
Anyways, heres my log

Logfile of HijackThis v1.99.1
Scan saved at 8:39:41 AM, on 11/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {6ABE4BC3-7253-418E-85E8-F334A73154D3} (CSmartClient Object) - http://www.smart-clip.com/activex/SmartClip.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

BC AdBot (Login to Remove)

 


#2 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 04 November 2006 - 11:14 AM

Welcome teamneon! :thumbsup:

I will be helping you under the guidance of one of our expert coaches.

Please give me a little time to get back to you with instructions.

Thanks
Jamie
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#3 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 04 November 2006 - 12:37 PM

Hey teamneon

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Firewall:

Please download one of these free firewalls and install it, either ZoneAlarm or OutPost

Rename Hijackthis:

1. Locate the program Hijackthis.
2. Select the file, right-click and select Rename.
3. Please change the name to: jamielaw

Vundo Fix:

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download Clean.bat to your desktop: This file is used to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat Save it on your desktop for later use

Kaspersky Online Scanner
Go to http://www.kaspersky.com/virusscanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with another HJT log.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#4 teamneon

teamneon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 06 November 2006 - 08:44 AM

ok...here are my new logs
kaspersky then hijackthis

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 06, 2006 7:03:14 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/11/2006
Kaspersky Anti-Virus database records: 238530
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 44150
Number of viruses found: 14
Number of infected objects: 75 / 0
Number of suspicious objects: 0
Duration of the scan process: 04:43:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d84451a0eb9ffa394e9994d50f7012da_37891e4a-58e9-4b7e-8b93-d6ebc5672ba7 Object is locked skipped
C:\Documents and Settings\Jimmy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Desktop\phoneTools\cellsoftware\xp-smoker\xpspro.exe/Stream/data0039 Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
C:\Documents and Settings\Jimmy\Desktop\phoneTools\cellsoftware\xp-smoker\xpspro.exe/Stream Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
C:\Documents and Settings\Jimmy\Desktop\phoneTools\cellsoftware\xp-smoker\xpspro.exe Inno: infected - 2 skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Identities\{8342D764-B5D5-441C-8CB6-B39CFBB0DE83}\Microsoft\Outlook Express\Ebay Questions.dbx/[From "eBay Member: team-neon" <member@ebay.com>][Date Sun, 12 Jun 2005 07:10:18 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Identities\{8342D764-B5D5-441C-8CB6-B39CFBB0DE83}\Microsoft\Outlook Express\Ebay Questions.dbx/[From "eBay Member: team-neon" <member@ebay.com>][Date Sun, 12 Jun 2005 07:10:18 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Identities\{8342D764-B5D5-441C-8CB6-B39CFBB0DE83}\Microsoft\Outlook Express\Ebay Questions.dbx/[From "eBay Member: team-neon" <member@ebay.com>][Date Sun, 12 Jun 2005 07:20:18 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Identities\{8342D764-B5D5-441C-8CB6-B39CFBB0DE83}\Microsoft\Outlook Express\Ebay Questions.dbx/[From "eBay Member: team-neon" <member@ebay.com>][Date Sun, 12 Jun 2005 07:20:18 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Identities\{8342D764-B5D5-441C-8CB6-B39CFBB0DE83}\Microsoft\Outlook Express\Ebay Questions.dbx Mail MS Outlook 5: infected - 4 skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Ebay Questions/12 Jun 2005 14:10 from eBay Member: team-neon:Question for eBay .eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Ebay Questions/12 Jun 2005 14:20 from eBay Member: team-neon:Question for eBay .eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\History\History.IE5\MSHist012006110520061106\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temp\~DFEBFE.tmp Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jimmy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Evrsoft First Page 2006\Iscripts\Page Details\crazy-window.izs Infected: not-virus:BadJoke.JS.RJump skipped
C:\Program Files\VSAdd-in\VSAdd-in.dll Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Program Files\XP Smoker\shutdown.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035854.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035855.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035857.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035859.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035860.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035864.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035865.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035866.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035868.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035873.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035874.dll Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035875.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035876.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035877.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035878.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035878.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035878.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035879.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035880.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035882.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035883.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035884.exe/deskbar.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035884.exe/deskbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035884.exe/deskbar.exe Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035884.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035885.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035886.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035887.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035888.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035889.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035890.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035927.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035933.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035934.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035935.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035936.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0036286.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0036290.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0036291.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036930.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036965.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036971.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036973.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036974.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036977.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036983.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036988.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036989.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036992.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036993.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036994.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036995.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036996.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036997.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036998.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036999.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037006.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037007.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037011.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037017.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037018.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037021.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037022.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037023.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037050.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037051.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037055.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037056.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037064.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0037065.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP122\A0037077.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP122\A0037078.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP122\A0037079.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP123\A0037137.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP123\A0037138.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP123\A0037139.dll Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP123\A0037140.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP123\A0037141.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP123\A0037142.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP123\A0037143.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ej skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP123\A0037145.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP123\A0037146.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP123\A0037151.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP123\A0037158.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP124\A0037188.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP124\A0037201.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP124\A0037202.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP124\A0037203.dll Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP124\A0037204.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP124\A0037205.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP124\A0037206.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP124\A0037207.exe Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP124\A0037208.dll Object is locked skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP124\A0037209.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ej skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP126\A0037736.exe/deskbar.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP126\A0037736.exe/deskbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP126\A0037736.exe/deskbar.exe Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP126\A0037736.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP126\A0037737.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP126\A0037737.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP126\A0037737.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP127\change.log Object is locked skipped
C:\twg102006\twg\js\ie7-core.js Infected: Trojan-Downloader.JS.Psyme.cm skipped
C:\twg102006\twg\js\ie7-standard-p.js Infected: Trojan-Downloader.JS.Psyme.cm skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\TEAM-LAPTOP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\ModemLog_Conexant 56K ACLink Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ismini.exe Infected: Trojan-Downloader.Win32.Zlob.ata skipped
C:\WINDOWS\system32\pspyqewt.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT07baf.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT07bcc.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


___________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 7:08:28 AM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\jamielaw\jamielaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {3BF96896-024E-4008-93B7-60E0E5451E81} - C:\WINDOWS\system32\sstqn.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {c3703265-4671-4858-92a4-cba6a7b3bb45} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\wywjrlcy.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6ABE4BC3-7253-418E-85E8-F334A73154D3} (CSmartClient Object) - http://www.smart-clip.com/activex/SmartClip.cab
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\en46l1hs1.dll (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\mdxex.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winvpv32 - winvpv32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#5 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 06 November 2006 - 11:09 AM

Please could you also post the VundoFix log I asked for.
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#6 teamneon

teamneon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 06 November 2006 - 08:17 PM

sorry..forgot that one.


VundoFix V6.2.7

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 8:20:46 PM 11/5/2006

Listing files found while scanning....

C:\WINDOWS\system32\lmaxhc.dll
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\nqtss.ini
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\nqtss.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\lmaxhc.dll
C:\WINDOWS\system32\lmaxhc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\sstqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtss.ini
C:\WINDOWS\system32\nqtss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\nqtss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtss.tmp
C:\WINDOWS\system32\nqtss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

#7 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 08 November 2006 - 12:48 PM

Hey Teamneon

Update Java:

Your version of Java is now outdated. Java vulnerabilites are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 5.0 Update 9 ). Please install it and then reboot your computer.

Remove the older versions of Java:
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except J2SE Runtime Environment 5.0 Update 9
Look2Me-Destroyer:

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt in your next reply.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

SmitFraudFix:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply along with another Hijackthis log.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#8 teamneon

teamneon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 11 November 2006 - 09:59 AM

SmitFraudFix v2.120

Scan done at 8:40:21.37, Sat 11/11/2006
Run from C:\Documents and Settings\Jimmy\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINDOWS

C:\WINDOWS\drsmartload2.dat FOUND !
C:\WINDOWS\newname.dat FOUND !
C:\WINDOWS\teller2.chk FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

C:\Documents and Settings\Jimmy


C:\Documents and Settings\Jimmy\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\Jimmy\FAVORI~1

C:\DOCUME~1\Jimmy\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files

C:\Program Files\SpyQuake2.com\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End





Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 11/11/2006 8:27:02 AM

Infected! C:\WINDOWS\system32\en46l1hs1.dll
Infected! C:\WINDOWS\system32\mdxex.dll
Infected! C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035880.dll
Infected! C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035887.dll
Infected! C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035927.dll
Infected! C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036974.dll
Infected! C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036977.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035880.dll
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035880.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035887.dll
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035887.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035927.dll
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP120\A0035927.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036974.dll
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036974.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036977.dll
C:\System Volume Information\_restore{F7720FC1-5F2F-4D82-A94C-8B3ACC55F245}\RP121\A0036977.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0F5DDCE1-8F5C-4F61-BCAF-D2B42F58F729}"
HKCR\Clsid\{0F5DDCE1-8F5C-4F61-BCAF-D2B42F58F729}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded




Logfile of HijackThis v1.99.1
Scan saved at 8:55:21 AM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\jamielaw\jamielaw.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {3BF96896-024E-4008-93B7-60E0E5451E81} - C:\WINDOWS\system32\sstqn.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {c3703265-4671-4858-92a4-cba6a7b3bb45} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\wywjrlcy.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6ABE4BC3-7253-418E-85E8-F334A73154D3} (CSmartClient Object) - http://www.smart-clip.com/activex/SmartClip.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winvpv32 - winvpv32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#9 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 12 November 2006 - 04:38 PM

Hey teamneon

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Whilst completing the fix please use the Internet as little as posssible. Do not install any programs whilst we fix your computer - even the smallest of programs can wreak havoc.

SmitFraudFix:

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Submit Files:

You have a file/s of interest to us. It would help the detection rates of the tools we use by getting hold of samples of these infections.

1. Go this website: http://www.bleepingcomputer.com/submit-malware.php?channel=15
2. Copy/paste this into the 'Link to Topic' box: http://www.bleepingcomputer.com/forums/t/70747/hijackthis-log/
3. Copy/paste this into the 'Browser for File' box: C:\WINDOWS\system32\wywjrlcy.dll
4. Let me know if it was successful or not.

Uninstall List:

1. Open Hijackthis and select: Open the Misc Tools section.
2. Then choose: Open Uninstall Manager and click Save List.
3. Save the list to your computer.
4. Then copy the contents of the list back to this thread in your next reply.
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#10 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 25 November 2006 - 10:44 AM

Are you still monitoring this thread?
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#11 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 29 November 2006 - 04:52 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#12 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 27 December 2006 - 11:45 AM

Wow! This is a fairly old thread...surprised you didn't start a new one.

Please could you post a hijackthis log and a description of your current situation.
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#13 teamneon

teamneon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 11 December 2007 - 10:15 AM

updated to hijackthis2. coworker downloaded "mirar" as an IE toolbar and i cant uninstall it, also getting tons of popups.
here is new log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:10 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ppdrywpr.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\mrofinu72.exe
C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Insider\Insider.exe
C:\Documents and Settings\Jimmy\Application Data\WinTouch\WinTouch.exe
C:\Program Files\QdrPack\QdrPack10.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Jimmy\LOCALS~1\Temp\MirarPrefetchor.exe
C:\Documents and Settings\Jimmy\Desktop\jamielaw2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jsctwvv.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6D84F655-9500-47FF-9EBE-73E1049860BE} - C:\WINDOWS\system32\ddabb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll
O2 - BHO: {8bde2feb-95f7-7c59-d124-2ee1a8f7226a} - {a6227f8a-1ee2-421d-95c7-7f59bef2edb8} - C:\WINDOWS\system32\jitwecot.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\awtsrom.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [78e86ae5] rundll32.exe "C:\WINDOWS\system32\wtbnorit.dll",b
O4 - HKLM\..\Run: [niwojico] C:\Program Files\NetMeeting\niwojico77798.exe
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Jimmy\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Jimmy\Application Data\Microsoft\Windows\rayiou.exe
O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O8 - Extra context menu item: Add to &Teleport - C:\Program Files\Teleport Pro\teleport.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://63.68.169.194/cab/OCXChecker_6100.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_4-2-1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150411648109
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.ne...bls_speedop.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://reports.paychoiceonline.com/pcoreports/arview2.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/photo/loaders/ImageUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: wuauclt.dll,wbsys.dll
O20 - Winlogon Notify: awtsrom - C:\WINDOWS\SYSTEM32\awtsrom.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ppdrywpr.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Unknown owner - C:\Program Files\DynDNS Updater\DynDNS.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T Internet Security\AT&T Internet Security Demo\rpsupdaterR.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 13490 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users