Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I've Got Virtumundo


  • This topic is locked This topic is locked
27 replies to this topic

#1 AlbinoNinjaPenguin

AlbinoNinjaPenguin

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 07 November 2006 - 01:59 PM

Here's my HJT log:

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1151860565\ee\AOLSoftware.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\fpplock.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\{A8CECA43-02B8-1033-0427-040824010001}\Update.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\COMMON~1\qqzo\qqzom.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\COMMON~1\qqzo\qqzoa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{38CECA43-02B8-1033-0427-040824010001}\888Bar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151860565\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Warning: do not remove it!] fpplock.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [qqzo] C:\PROGRA~1\COMMON~1\qqzo\qqzom.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: taskmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118432931256
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144772420111
O17 - HKLM\System\CCS\Services\Tcpip\..\{49E03FFF-CC38-4C4B-8D57-7A2EF2773DF2}: NameServer = 170.215.184.3 170.215.126.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{84A01FCD-7272-46DE-8AE5-60EF84D6C0F5}: NameServer = 65.105.188.107
O17 - HKLM\System\CCS\Services\Tcpip\..\{E00140CC-9FC8-4CC1-B2CA-8959461428D3}: NameServer = 65.105.188.107
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\lv0409dqe.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:50 AM

Posted 07 November 2006 - 02:31 PM

Hello AlbinoNinjaPenguin, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:50 AM

Posted 07 November 2006 - 04:17 PM

Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

IMPORTANT
It is important that your computer has an antivirus software running on your machine.
Your log doesn't show an antivirus software running. This is somewhat suicidal in today's digital world. If you have disabled your antivirus software, please re-enable it.
You need to install an antivirus program as soon as you can and run a complete scan of the computer. Please download and install one of these good (and free) products:
- Antivir
- Avast Free
- AVG Free
- Bitdefender Free

Install one of these products and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.
NOTE: Never install more than one antivirus program on your system. Several together can give problems and decrease the reliability of it seriously.


IMPORTANT
It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled your firewall, please re-enable it.
If you do not have a firewall installed, please download and install one of these good (and free) products:
- ZoneAlarm Free
- Outpost Firewall Free
- Kerio

NOTE: Never install more than one firewall program on your system. Several together can give problems and decrease the reliability of it seriously.


Step #1
You need to update your Sun Java Console. Older versions have vulnerabilities that malware can and are using to infect systems.
Please perform these instructions to update your Sun Java Console:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and check any item with Java Runtime Environment (JRE) in the name.
3. Click the Remove or Change/Remove button next to these items to remove all versions of Java.
4. Reboot your computer.
5. Download and install the latest version of Java Runtime Environment (JRE) 5.0 Update 9 (click).

Step #2
You are running HijackThis from the Desktop. Because HijackThis is both for analysis and repair it is essential that it runs from within its own folder: HijackThis makes backups of the repairs in case there is a need for reversal of the procedure and you are probably more apt to delete the backups if HijackThis is running from the Desktop. Please move HijackThis.exe into its own directory on the C: drive by following these steps:
1. Navigate to the C: drive using Windows Explorer or My Computer.
2. Right-click in the folder window and select New > Folder.
3. Name the folder to "HijackThis" (without the quotation marks).
4. Move HijackThis.exe from the Desktop into the newly created directory.
NOTE: HijackThis.exe is now located in C:\HijackThis.

Step #3
Navigate to C:\HijackThis\HijackThis.exe using My Computer or Windows Explorer and right-click on the HijackThis.exe file. Select the Rename option from the right-click menu and rename HijackThis.exe to fluffywhiterabbit.exe and press Enter.

Step #4
Please provide me an uninstall list by performing these instructions:
1. Open HijackThis (fluffywhiterabbit.exe).
2. Click once on the Config... button.
2. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
3. Click on the button labelled "Open Uninstall Manager...". You'll see a list of currently installed programs.
4. Click on the button labelled "Save list..." and specify where you would like to save the uninstall list.

When you press the Save button, Notepad will open up with the contents of that file. Copy and paste the contents of that Notepad file as a reply to this topic.

Step #5
Scan with HijackThis (fluffywhiterabbit.exe) again and post a new HijackThis log (together with the uninstall list). Please make sure you include ALL of the HijackThis log in your next reply as I am missing very important information about your Operating System in the current one! Copy and paste ALL the contents of the Notepad window HijackThis opens as a reply to this post (including the header information).
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#4 AlbinoNinjaPenguin

AlbinoNinjaPenguin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 07 November 2006 - 05:24 PM

AVG detected 203 trojans... It's trying to heal them, should I delete them or let that continue?

#5 AlbinoNinjaPenguin

AlbinoNinjaPenguin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 07 November 2006 - 07:20 PM

I did everything you said. Here's for what you asked for:

3Com Mini PCI 56K Modem
ABC (remove only)
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 7.0
Adobe Reader 7.0
Adobe Shockwave Player
Ahead Nero Burning ROM
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
AVG Free Edition
Azureus
DivX
DivX Converter
DivX Player
DivX Web Player
Folder Password Expert 2.1
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 9
LimeWire 4.12.6
Mercury
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Works 7.0
Mozilla Firefox (1.5.0.7)
Nintendo Wi-Fi USB Connector Registration Tool
Palm Desktop
PhanTim3
PowerDVD
S3 Gamma Utility
S3DuoVue Utility
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Soldat 1.3.1
SoulSeek Client 156c
TargetSaver
ThinkPad Power Management Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Virtual Game Gear
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Messenger
ZoneAlarm

Logfile of HijackThis v1.99.1
Scan saved at 7:16:35 PM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1151860565\ee\AOLSoftware.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\fpplock.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{A8CECA43-02B8-1033-0427-040824010001}\Update.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\ZoneLabs\UpdClient.exe
C:\HijackThis\fluffywhiterabbit.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151860565\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Warning: do not remove it!] fpplock.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118432931256
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144772420111
O17 - HKLM\System\CCS\Services\Tcpip\..\{49E03FFF-CC38-4C4B-8D57-7A2EF2773DF2}: NameServer = 170.215.184.3 170.215.126.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{84A01FCD-7272-46DE-8AE5-60EF84D6C0F5}: NameServer = 65.105.188.107
O17 - HKLM\System\CCS\Services\Tcpip\..\{E00140CC-9FC8-4CC1-B2CA-8959461428D3}: NameServer = 65.105.188.107
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: DIFxApp - C:\WINDOWS\system32\fplm0331e.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:50 AM

Posted 08 November 2006 - 02:09 AM

After a more in-depth look at your log I spotted a pretty nasty piece of malware that is installed on your computer: a bot worm. In short, this piece of malware allows hackers to remotely control your computer, steal critical system information and download and execute files.

IMPORTANT
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. To protect your information that may have been compromised, I reccomend reading this reference: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?.


Though the bot has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and reinstall of the OS. This is something I don't like to recommend normally, but it is the best solution for your safety. For more information, please read this reference very carefully: When should I re-format? How should I reinstall?.
If you choose to format and reinstall, see this link for instructions: Reformat Hard Drive FAQ for Windows 95/98/Me/XP.

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat. If you do make that decision, I will do my best to help you disinfect your PC, but you must understand that once a machine has been taken over by this type of malware, it can never be declared clean.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.
Below are some more links that could help you decide what to do.

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#7 AlbinoNinjaPenguin

AlbinoNinjaPenguin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 08 November 2006 - 08:16 AM

Thankfully I don't use this my laptop for finances or anything, though my mom sometimes does order something over the internet via credit card. My dad recently purchased me a Dell desktop last year, but my mom needed a computer so I got a laptop. Since I don't ever use any credit cards or anything on my computer I'm not too worried about money being stolen, but I would have to warn my mom about not using it anymore for ordering anything.

I do have all the drivers to reinstall on here if I do format, but I think I'm going to just try to clean it up. If that doesn't work then in the end I'll just format it.

#8 AlbinoNinjaPenguin

AlbinoNinjaPenguin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 08 November 2006 - 10:02 PM

There's one more symptom my computer has that I forgot to tell you about. Whenever I connect to the internet, after about thirty seconds the pure white. I can change the wallpaper to something else, but within about thirty more seconds it'll change back to white.

I still want to try to get rid of the bot worm and the popup virus.

#9 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:50 AM

Posted 09 November 2006 - 02:03 AM

OK. Let's clean your machine. :thumbsup:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
Please download ATF Cleaner from the link below, but do not use the program yet.
Download ATF Cleaner

Step #2
Go to Control Panel > Add/Remove Programs and uninstall TargetSaver if listed. This program is bad.

I see Viewpoint installed. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. This will change from what we know in 2006. For more information about this, see this reference: Viewpoint to Plunge Into Adware. Additional information here: Viewpoint.
I suggest to remove this program. If you agree, go to Control Panel > Add/Remove Programs and remove the following entries if present:
Viewpoint Manager (Remove Only)
Viewpoint Media Player


You most likely got infected through file sharing. The following P2P/File Sharing (related) programs are installed on your machine:
ABC (remove only)
Azureus
LimeWire 4.12.6
SoulSeek Client 156c


These programs are what we call optional fixes. They are related to peer-to-peer programs. However, anytime you are running any type of P2P application, you are more prone to infection by malware. The choice to remove it is entirely up to you, but I would strongly recommend that you get rid of it by going to Control Panel > Add/Remove Programs. If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.

Step #3
You have a Look2Me infection. Download Look2Me-Destroyer.exe to get rid of it.
Download Look2Me-Destroyer.exe

Once downloaded, please perform these instructions:
1. Close all windows so that you have nothing open and are on the Desktop.
2. Double-click the Look2Me-Destroyer.exe file to run the program.
3. When the program is loaded place a checkmark in the checkbox labelled "Run this program as a task."
4. You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click the OK button.
5. When Look2Me-Destroyer.exe reopens, click on the button labelled "Scan for L2M".
NOTE: Desktop icons will disappear. This is normal.
6. Once it's done scanning, click the button labelled "Remove L2M".
7. You will receive a message saying Look2Me-Destroyer is done scanning. Click OK.
8. When completed, you will receive a message like in the QUOTE box below. Click OK.

Done removing infected files! Look2Me-Destroyer will now shutdown your computer

9. Turn your computer back on once it is shut down.
10. Please post the contents of C:\Look2Me-Destroyer.txt as a reply to this topic.

NOTES:
If Look2Me-Destroyer does not re-open automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the Internet, please allow it.

If you receive a runtime error '339', please download MSWINSCK.OCX from the link below and place it in your C:\WINDOWS\system32 directory.
Download MSWINSCK.OCX

Step #4
Scan again with HijackThis. Put a checkmark by this entry if it is present, double-checking to be sure that only this entry is checked:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

If you uninstalled Viewpoint, please put a checkmark by this entry as well if it is present:
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

Step #5
First enable the viewing of hidden files in Windows XP by following these steps:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following directories (do not be concerned if they do not exist):
C:\Program Files\Common Files\{A8CECA43-02B8-1033-0427-040824010001} <-- this folder
C:\Program Files\TargetSaver <-- this folder

If you uninstalled Viewpoint, please delete this folder as well if it is present:
C:\Program Files\Viewpoint <-- this folder

Step #6
You downloaded ATF Cleaner before. When still in Safe Mode, please follow these instructions to run ATF Cleaner:
1. Double-click ATF-Cleaner.exe to run the program.
2. Click once on the Main tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
3. Then click on the button labelled "Empty Selected".

If you use the Mozilla Firefox browser, please follow these instructions as well:
1. Click once on the Firefox tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser, please follow these instructions as well:
1. Click once on the Opera tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Now click the Exit button on the Main tab to exit the program. Reboot your computer back into normal mode.

Step #7
Please download Silent Runners.zip from the download link below and save it to your Desktop.
Download Silent Runners.zip

Once it is downloaded, extract the ZIP file to a new folder on your Desktop. Run the Silent Runners.vbs file inside it by double-clicking on it.
NOTE: If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run. This script is not malicious so please allow it.

Once launched, you will receive a prompt: "Skip supplementary searches?". Click the No button. A text file will appear in the Silent Runners folder. Silent Runners is not done yet, so please let it run. (It won't appear to be doing anything)! Once you receive the "All Done!" prompt, open the text file and post the entire contents of that text file in your next reply.

Step #8
Please post back with the following:
- the contents of C:\Look2Me-Destroyer.txt
- the Silent Runners text file
- a new HijackThis log

One more question: did you install the Folder Password Expert software by ZQS Software Team - a software program to restrict access to the folders that contain your sensitive data - yourself?
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#10 AlbinoNinjaPenguin

AlbinoNinjaPenguin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 09 November 2006 - 11:19 AM

My desktop is normal again, thank you. Popups are gone as well. :thumbsup: Yes, I did install that folder lock program myself, is there a problem with that?

EDIT: Nevermind about the popups and desktop returning to normal. Right when I posted this I got two popups and a white desktop. I hope you have more stuff for me to do.

Logfile of HijackThis v1.99.1
Scan saved at 10:27:35 AM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1151860565\ee\AOLSoftware.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\fpplock.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\{A8CECA43-02B8-1033-0427-040824010001}\Update.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\fluffywhiterabbit.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151860565\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Warning: do not remove it!] fpplock.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118432931256
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144772420111
O17 - HKLM\System\CCS\Services\Tcpip\..\{84A01FCD-7272-46DE-8AE5-60EF84D6C0F5}: NameServer = 65.105.188.107
O17 - HKLM\System\CCS\Services\Tcpip\..\{E00140CC-9FC8-4CC1-B2CA-8959461428D3}: NameServer = 65.105.188.107
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 11/9/2006 10:17:03 AM

Infected! C:\WINDOWS\system32\fplm0331e.dll
Infected! C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP136\A0026094.dll
Infected! C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP136\A0026110.dll
Infected! C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP136\A0026111.dll
Infected! C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026238.dll
Infected! C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026250.dll
Infected! C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP138\A0026340.dll
Infected! C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP138\A0026341.dll
Infected! C:\WINDOWS\system32\fp2603fse.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP136\A0026094.dll
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP136\A0026094.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP136\A0026110.dll
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP136\A0026110.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP136\A0026111.dll
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP136\A0026111.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026238.dll
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026238.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026250.dll
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026250.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP138\A0026340.dll
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP138\A0026340.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP138\A0026341.dll
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP138\A0026341.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fp2603fse.dll
C:\WINDOWS\system32\fp2603fse.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{53118155-0CA7-4501-8D17-4E58A243F76B}"
HKCR\Clsid\{53118155-0CA7-4501-8D17-4E58A243F76B}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"{A8CECA43-02B8-1033-0427-040824010001}" = ""C:\Program Files\Common Files\{A8CECA43-02B8-1033-0427-040824010001}\Update.exe" mc-110-12-0000140" [file not found]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Aim6" = "*i" (unwritable string) [file not found]
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"HostManager" = "C:\Program Files\Common Files\AOL\1151860565\ee\AOLSoftware.exe" ["America Online, Inc."]
"IPHSend" = "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" ["America Online, Inc."]
"IntelliPoint" = ""C:\Program Files\Microsoft IntelliPoint\point32.exe"" [MS]
"Warning: do not remove it!" = "fpplock.exe" ["ZQS Software Team"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0787.00.dll" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Wireless Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Wheel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Activities Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Buttons Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Active Desktop web content (hidden if disabled):

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = "C:\Program Files\Online Services\kyzesepu.html"
"SubscribedURL" = ""

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\
"FriendlyName" = ""
"Source" = "C:\Program Files\MSN Gaming Zone\howy.html"
"SubscribedURL" = ""


Startup items in "user" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\user\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\Sony Handheld\HOTSYNC.EXE" ["Palm, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"At1" -> launches: "C:\DOCUME~1\user\Desktop\Look2Me-Destroyer.exe /task" ["Atribune.org"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
ThinkPad PM Service, IBMPMSVC, "C:\WINDOWS\system32\ibmpmsvc.exe" ["Lenovo."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 58 seconds.
---------- (total run time: 139 seconds)

Edited by AlbinoNinjaPenguin, 09 November 2006 - 11:29 AM.


#11 AlbinoNinjaPenguin

AlbinoNinjaPenguin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 09 November 2006 - 10:25 PM

Here's an update: My desktop turned back to normal after about half an hour and the popups stopped. About an hour ago the desktop turned white again, but I changed the wallpaper and it went back to normal. I didn't do anything for my computer to go back to normal, so I'm not sure how it happened. Any ideas?

#12 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:50 AM

Posted 10 November 2006 - 01:29 AM

My desktop is normal again, thank you. Popups are gone as well. :thumbsup:

Great! :flowers:

Yes, I did install that folder lock program myself, is there a problem with that?

No, because you installed the program yourself, there is no problem with it.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
Download Combofix from the link below.
Download combofix.exe

Once downloaded, double-click combofix.exe and follow the on-screen prompts.
NOTE: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall!

When finished, it shall produce a log for you. Post that log in your next reply.

Step #2
Please download AVG Anti-Spyware 7.5 from the link below and save it to your Desktop.
Download AVG Anti-Spyware 7.5

Once downloaded, locate the icon on your Desktop and double-click on it to launch the setup program. Follow the on-screen instructions to install AVG Anti-Spyware.

Before running AVG Anti-Spyware, it is mandatory that you update its definition files. Follow these instructions to update the program:
1. Start AVG Anti-Spyware.
2. Click the Update icon at the top of the screen. On the newly presented screen, click the button labelled "Start Update". The update process will start.
3. Once the update has completed, select the Scanner icon at the top of the screen, followed by clicking the Settings tab.
4. In the newly presented screen, click on the link named "Recommended actions" and then select the Quarantine option.
5. Under Reports, select the radio button labelled "Automatically generate report after every scan". Unselect the checkbox labelled "Only if threats were found".
6. Close AVG Anti-Spyware 7.5.

Now reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

When in Safe Mode, please follow these instructions to run AVG Anti-Spyware:
1. Close all windows so that you have nothing open and lauch AVG Anti-Spyware by double-clicking the icon on your Desktop.
2. Click the Scanner icon at the top of the screen and select the Scan tab.
3. Click on the "Complete System Scan" icon and AVG Anti-Spyware will begin the scanning process. Be patient as this may take some time.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess.
4. When the scan has finished, AVG Anti-Spyware will list any infections found on the left-hand side. It should automatically set the recommended action to Quarantine.
5. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right-hand side.
6. Click on the button labelled "Save Report", followed by pressing the "Save Report As" button. This will create a text file. Make sure you know where to find this file again.
7. Close AVG Anti-Spyware.
8. Reboot your computer to boot back into normal mode.

Please post the entire contents of the saved text file in your next reply.

Step #3
Your Desktop has been hijacked. Please follow these instructions to get rid of the Desktop hijacker:
1. Close all windows so that you have nothing open and are on the Desktop.
2. Go to Start > Control Panel.
3. Open Display Properties.
4. Click the Desktop tab.
5. Click the Customize Desktop... button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck and delete all web items you find in here (except the My Current Home Page entry if listed).

Step #4
Scan again with HijackThis. Put a checkmark by this entry if it is present, double-checking to be sure that only this entry is checked:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

Step #5
If not already enabled, please follow these steps to enable the viewing of hidden files in Windows XP:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Now reboot your computer into Safe Mode again - see instructions above - and delete the following file (do not be concerned if it does not exist):
C:\Program Files\Online Services\kyzesepu.html

Reboot to boot back into normal mode.

Step #6
Scan with HijackThis again and post a new HijackThis log, together with the Combofix log and the AVG Anti-Spyware text file.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#13 AlbinoNinjaPenguin

AlbinoNinjaPenguin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 10 November 2006 - 12:24 PM

user - 06-11-10 10:12:08.35 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\user\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tsuninst.exe
C:\Program Files\Online Services\kyzesepu.html
C:\Program Files\MSN Gaming Zone\howy.html
C:\Program Files\Inetget2
C:\Program Files\Common Files\{38CECA43-02B8-1033-0427-040824010001}


((((((((((((((((((((((((((((((( Files Created from 2006-10-10 to 2006-11-10 ))))))))))))))))))))))))))))))))))


2006-11-07 15:46 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-07 15:46 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-07 15:46 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-07 15:46 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-07 15:46 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-07 15:45 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-07 11:52 43,507 --a------ C:\WINDOWS\v1201.exe
2006-11-07 11:44 24,576 --a------ C:\WINDOWS\system32\dr.exe
2006-11-07 11:44 204 --a------ C:\WINDOWS\system32\jdkfjdskfjkdsjf.bat
2006-11-07 11:43 115,642 --a------ C:\WINDOWS\system32\install.exe
2006-11-07 11:42 32,768 --a------ C:\WINDOWS\system32\setup9X.exe
2006-11-07 11:41 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-10 10:12 -------- d-------- C:\Program Files\Online Services
2006-11-10 10:12 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-11-10 10:12 -------- d-------- C:\Program Files\Common Files
2006-11-10 10:07 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-10 10:03 -------- d-------- C:\Documents and Settings\user\Application Data\Azureus
2006-11-09 23:48 -------- d-------- C:\Program Files\Soulseek
2006-11-09 20:51 -------- d---s---- C:\Documents and Settings\user\Application Data\Microsoft
2006-11-09 20:51 -------- d-------- C:\Documents and Settings\user\Application Data\Ventrilo
2006-11-09 20:42 -------- d-------- C:\Program Files\VentSrv
2006-11-09 20:42 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-11-09 20:09 -------- d-------- C:\Program Files\Ventrilo
2006-11-09 20:09 -------- d-------- C:\Program Files\MAIET
2006-11-09 11:31 -------- d-------- C:\Documents and Settings\user\Application Data\AVG7
2006-11-08 10:06 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-07 20:44 -------- d-------- C:\Program Files\AIM
2006-11-07 19:03 -------- d-------- C:\Program Files\Java
2006-11-07 19:01 -------- d-------- C:\Program Files\Common Files\Java
2006-11-07 18:14 -------- d-------- C:\Program Files\Zone Labs
2006-11-07 15:45 -------- d-------- C:\Program Files\Grisoft
2006-11-07 14:42 -------- d-------- C:\Program Files\Accessdiver
2006-11-07 12:56 -------- d-------- C:\Program Files\Lavasoft
2006-11-07 12:56 -------- d-------- C:\Documents and Settings\user\Application Data\Lavasoft
2006-11-07 11:54 517 --a------ C:\Program Files\Common Files\hore
2006-11-03 22:54 -------- d-------- C:\Program Files\WinRAR
2006-11-02 21:21 -------- d-------- C:\Program Files\Azureus
2006-10-26 12:01 -------- d-------- C:\Program Files\Furcadia
2006-10-26 11:56 -------- d-------- C:\Program Files\Winamp
2006-10-26 11:56 -------- d-------- C:\Program Files\Liatro
2006-09-30 21:18 -------- d-------- C:\Program Files\MSN Messenger
2006-09-30 21:18 -------- d-------- C:\Program Files\Messenger Plus! Live
2006-09-30 10:19 -------- d-------- C:\Program Files\PhanTim3
2006-09-22 15:35 -------- d-------- C:\Documents and Settings\user\Application Data\Aim
2006-09-22 15:34 -------- d-------- C:\Program Files\AOD
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-11 14:51 -------- d-------- C:\Program Files\Sony Handheld
2006-09-10 23:34 -------- d-------- C:\Documents and Settings\user\Application Data\Help
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 22:47 129784 --------- C:\WINDOWS\system32\pxafs.dll
2006-08-24 22:47 115880 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1151860565\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"Warning: do not remove it!"="fpplock.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Online Services\\kyzesepu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN Gaming Zone\\howy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061109-102938-465
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job

Completion time: 06-11-10 10:13:47.92
C:\ComboFix.txt ... 06-11-10 10:13


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:47:52 AM 11/10/2006

+ Scan result:



C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP138\A0026561.exe -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP139\A0026943.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP139\A0026877.dll -> Adware.TargetServer : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP136\A0025902.exe -> Backdoor.IRCBot.dd : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026227.exe -> Backdoor.IRCBot.dd : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026229.exe -> Backdoor.IRCBot.dd : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026230.exe -> Backdoor.IRCBot.dd : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP136\A0025904.exe -> Downloader.Small.ajc : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026231.dll -> Downloader.Small.ctp : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026234.exe -> Downloader.TSUpdate.f : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026232.exe -> Downloader.TSUpdate.l : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026226.exe -> Downloader.TSUpdate.n : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026233.exe -> Downloader.TSUpdate.r : Cleaned.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\U1TQ7E5C\popup[1].htm -> Hijacker.Agent.a : Cleaned.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\V71NB1WO\popup[1].htm -> Hijacker.Agent.a : Cleaned.
C:\WINDOWS\v1201.exe -> Hijacker.Small : Cleaned.
C:\System Volume Information\_restore{805EBE92-3C41-40F3-9EE5-85FCBC8FD06A}\RP137\A0026235.exe -> Hijacker.Small.jf : Cleaned.
C:\Documents and Settings\user\My Documents\package\john-16d.zip/JOHN-16/RUN/JOHN-K6.ZIP/JOHN.BIN -> Not-A-Virus.HackTool.Win32.John : Cleaned.
C:\Documents and Settings\user\My Documents\package\john-16d.zip/JOHN-16/RUN/JOHN-MMX.ZIP/JOHN.BIN -> Not-A-Virus.HackTool.Win32.John : Cleaned.
C:\Documents and Settings\user\My Documents\package\john-16d.zip/JOHN-16/RUN/JOHN.BIN -> Not-A-Virus.HackTool.Win32.John : Cleaned.
C:\Documents and Settings\user\My Documents\package\john-16d\JOHN-16\RUN\JOHN-K6.ZIP/JOHN.BIN -> Not-A-Virus.HackTool.Win32.John : Cleaned.
C:\Documents and Settings\user\My Documents\package\john-16d\JOHN-16\RUN\JOHN-MMX.ZIP/JOHN.BIN -> Not-A-Virus.HackTool.Win32.John : Cleaned.
C:\Documents and Settings\user\My Documents\package\john-16d\JOHN-16\RUN\JOHN.BIN -> Not-A-Virus.HackTool.Win32.John : Cleaned.
C:\Documents and Settings\user\Cookies\user@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\user\Cookies\user@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\user\Cookies\user@entrepreneur.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\user\Cookies\user@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\user\Cookies\user@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\user\Cookies\user@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\user\Cookies\user@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\user\Cookies\user@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\user\Cookies\user@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\user\Cookies\user@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\user\Cookies\user@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\user\Cookies\user@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\user\Cookies\user@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\user\Cookies\user@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\user\Cookies\user@data.coremetrics[2].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\user\Cookies\user@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\user\Cookies\user@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\user\Cookies\user@enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\user\Cookies\user@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\user\Cookies\user@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\user\Cookies\user@ehg-maniatv.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\user\Cookies\user@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\user\Cookies\user@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\user\Cookies\user@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\user\Cookies\user@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\user\Cookies\user@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\user\Cookies\user@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\user\Cookies\user@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\user\Cookies\user@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned.
C:\Documents and Settings\user\Cookies\user@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\user\Cookies\user@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\user\Cookies\user@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\user\Cookies\user@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\user\Cookies\user@h.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\user\Cookies\user@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\user\Cookies\user@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\user\Cookies\user@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\user\Cookies\user@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\user\Cookies\user@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\user\Cookies\user@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\user\Cookies\user@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\user\Cookies\user@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user\Cookies\user@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user\Cookies\user@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 12:19:23 PM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Common Files\AOL\1151860565\ee\AOLSoftware.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\fpplock.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\fluffywhiterabbit.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151860565\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Warning: do not remove it!] fpplock.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118432931256
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144772420111
O17 - HKLM\System\CCS\Services\Tcpip\..\{49E03FFF-CC38-4C4B-8D57-7A2EF2773DF2}: NameServer = 170.215.184.3 170.215.126.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{84A01FCD-7272-46DE-8AE5-60EF84D6C0F5}: NameServer = 65.105.188.107
O17 - HKLM\System\CCS\Services\Tcpip\..\{E00140CC-9FC8-4CC1-B2CA-8959461428D3}: NameServer = 65.105.188.107
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:50 AM

Posted 12 November 2006 - 03:30 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
Go to Control Panel > Add/Remove Programs and uninstall Accessdiver if listed (do not be concerned if it is not present).

Step #2
Go to Start > Run and copy/paste the following line in the Run field, followed by pressing the Enter key after it:
regsvr32 /u C:\WINDOWS\system32\vbzip10.dll

Step #3
If not already enabled, please follow these steps to enable the viewing of hidden files in Windows XP:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode again. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following files or directories (do not be concerned if they do not exist):
C:\WINDOWS\v1201.exe
C:\WINDOWS\system32\dr.exe
C:\WINDOWS\system32\jdkfjdskfjkdsjf.bat
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\setup9X.exe
C:\WINDOWS\system32\vbzip10.dll
C:\Program Files\Common Files\hore <-- this folder
C:\Program Files\Accessdiver <-- this folder
C:\Program Files\Common Files\accessdiver.lnk
C:\Documents and Settings\user\Desktop\accessdiver.lnk
C:\Program Files\Common Files\accessdiver <-- this folder

Reboot your computer to boot back into normal mode.

Step #4
I want you to back up the registry, because we are going to make a few changes to it. To export the registry to a .reg file, please follow these steps:
1. Close all programs so that you have nothing open and are at the Desktop.
2. Go to Start > Run.
3. In the Run field copy/paste the entire contents inside the QUOTE box below and press the OK button.

regedit /e registry.reg

Now a secure backup copy has been made, copy the entire contents inside the CODE box below into Notepad. Then click File > Save and save as remove.reg (save as type: All files) to the Desktop.
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Uninstall\accessdiver 4.6_is1]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
Go to the Desktop and double-click remove.reg. When prompted to merge its contents to the registry, click the Yes button.

Step #5
Now please run one of these two free online virus scanners and make sure they are set to clean automatically:
- Panda Software: Antivirus ActiveScan
- Trend Micro's HouseCall online virus scan

You should try to delete any files that these scanners are unable to clean. Then let me know if its working better and what the scans found.

Step #6
Please download F-Secure Blacklight from the download link below.
Download F-Secure Blacklight

Once downloaded, move blbeta.exe into its own directory on the C: drive.

Now please perform these instructions to run F-Secure Blacklight:
1. Double-click on the blbeta.exe file to start F-Secure Blacklight.
2. In the upcoming screen, check the checkbox labelled "I accept the agreement" and press the Next button.
3. Next, press the Scan button.
4. Once the scanning procedure is done, click on the Next button, followed by clicking on the Exit button.
5. Navigate to the folder in which blbeta.exe is located using My Computer or Windows Explorer and open the Notepad file in it.
6. Post the entire contents of that log as a reply to this post.
NOTE: Do not fix anything with F-Secure Blacklight. Files found may be legitimate!

Step #7
Scan with HijackThis again and post a new HijackThis log, together with the F-Secure Blacklight log file.
Let me know how your computer is running now.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#15 AlbinoNinjaPenguin

AlbinoNinjaPenguin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 12 November 2006 - 05:38 PM

When I put this: 'regsvr32 /u C:\WINDOWS\system32\vbzip10.dll' into the window that popped up after going into 'Start' and clicking on 'Run', it didn't work. Here's what it said:


"C:\WINDOWS\system32\vbzip10.dll was not loading, but the DllUnregisterServer entry point was not found.

This file can not be registered."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users