Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kena Spyware - Wall Paper Changed / Many Popups / Pissingme Off


  • This topic is locked This topic is locked
16 replies to this topic

#1 xia0pr1nce

xia0pr1nce

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 08 November 2006 - 11:26 PM

Hey guys!!! ur forum looks cool man. im new to this forum and i hope that u guys can really make my stay enjoyable...

i got this real major problem right now man....

i dunno how i contracted with all these spyware crap. but when i on my computer one day to surf my friendster and forums, i got all these rubbish popups of poker and making love, back grounds and whos hotter, saddam or osama.... theres some popping up now... its really irrritating and tis getting on my nerves... i was playing dota and after that i went back to desktop and there are like 30 + internet browsers !!!

interestingly, my internet browser ( firefox ) is not slowed down... so i can still dl and surf. hey btw when i download stuff with my firefox, the downloads doesnt not show up at the download chart. it appeared empty but after some while i found it at my desktop ( i clicked "save to disk" ). oh nvm thats a minor problem but i suspect its spyware related.

oh and another problem is that my desktop is screwed up. i cant enable drop shadow for my icons despite all the disabling of web icons/ active desktop etc. please help. AND my wall paper is screwed up too. its just plain white. interestingly, it has some kind of textbox at the top left corner. and u can scroll up and down. but who cares... i wan my wall paper back!!! i pushed F5 and it came back. but 1 second later, it changed back to that bloody old piece of crappy white wall paper. man i tell u it sure looks wierd. i hate it. if only i can post a pic of it up here. oh well

Lets get back to the topic. then i went to do all the spyware scans. i tried the latest updated of
ad-aware,
spybot s&d,
AVG free version,
killbox,
cws shredder thing
Look2meDestroyer ----->when i push Scan, the computer died and a blue screen appeared and restarted.

to bump off the virus. U will be glad to know that they found a couple of crap. but those spywares aint giving up. they are back after a restart. dang it man. u can take a look of scan logs below.

oh and not to forget HijackThis. take a look at it below

now this piece of crappy spyware is really getting on my nerves. oh and btw, i cant get into safe mode. when i clicked my user (which is really huge) the comp just died ( and i saw the blue screen of death) and it restarted. dam! but i could get into the VGA mode. is there any difference?

PLEASE help this noobie right here. i apologise for all my crappy ratterings and long post. but i really appreciate if we can drill off these pieces of crappy spyware in my comp right now!!!

***HIJACK-THIS SCAN LOG***
Logfile of HijackThis v1.99.1
Scan saved at 12:02:22 PM, on 11/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\program files\hamachi\hamachi.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\AcerGoto.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Magic Keyboard\MagicKey.exe
C:\Program Files\Magic Keyboard\OSD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\Rar$EX00.203\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dotaportal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {66911D7A-E724-40FF-8113-8D5E103A6CB5} - C:\Program Files\WinRAR\tego.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hamachi Startup] c:\program files\hamachi\hamachi.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe
O4 - Global Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF50A6C1-37F3-4B85-8E7E-643C57B71106}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe




***AD-AWARE SCAN LOG***
Adware.DollarRevenue Object Recognized!
Type : File
Data : backup-20061109-082712-638.dll
TAC Rating : 10
Category : Adware
Comment :
Object : C:\Documents and Settings\Andrew\Local Settings\Temp\Rar$EX00.500\backups\
FileVersion : 1, 0, 0, 272
ProductVersion : 1, 0, 0, 1
ProductName : Deskbar
CompanyName : Deskbar
FileDescription : Deskbar
InternalName : Deskbar
LegalCopyright : Copyright 2001-2003. All rights reserved.
OriginalFilename : deskbar.dll


iSearch Toolbar Object Recognized!
Type : File
Data : temp.frE7AC
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Documents and Settings\Madeline\Local Settings\Temp\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


CmdServices Object Recognized!
Type : File
Data : cmdinst.exe
TAC Rating : 4
Category : Adware
Comment :
Object : C:\Documents and Settings\Madeline\Local Settings\Temp\
FileVersion : 1.0.1
CompanyName :
FileDescription : Command Desktop Setup
LegalCopyright :
Comments : This installation was built with Inno Setup: http://www.innosetup.com


CmdServices Object Recognized!
Type : File
Data : installer[1].exe
TAC Rating : 4
Category : Adware
Comment :
Object : C:\Documents and Settings\Madeline\Local Settings\Temporary Internet Files\Content.IE5\VIZB8XU4\
FileVersion : 1.0.1
CompanyName :
FileDescription : Command Desktop Setup
LegalCopyright :
Comments : This installation was built with Inno Setup: http://www.innosetup.com


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : madeline@revenue[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Madeline\Cookies\madeline@revenue[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : madeline@ads.addynamix[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Madeline\Cookies\madeline@ads.addynamix[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : madeline@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Madeline\Cookies\madeline@doubleclick[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : madeline@tribalfusion[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Madeline\Cookies\madeline@tribalfusion[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : madeline@zedo[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Madeline\Cookies\madeline@zedo[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : madeline@c5.zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Madeline\Cookies\madeline@c5.zedo[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : madeline@trafficmp[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Madeline\Cookies\madeline@trafficmp[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : madeline@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Madeline\Cookies\madeline@fastclick[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : madeline@casalemedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Madeline\Cookies\madeline@casalemedia[2].txt

Adware.DollarRevenue Object Recognized!
Type : File
Data : deskbar.dll
TAC Rating : 10
Category : Adware
Comment :
Object : C:\Program Files\Deskbar\
FileVersion : 1, 0, 0, 272
ProductVersion : 1, 0, 0, 1
ProductName : Deskbar
CompanyName : Deskbar
FileDescription : Deskbar
InternalName : Deskbar
LegalCopyright : Copyright 2001-2003. All rights reserved.
OriginalFilename : deskbar.dll


iSearch Toolbar Object Recognized!
Type : File
Data : A0004209.dll
TAC Rating : 4
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{9634A4EE-B101-403D-A904-FF5C53759F7F}\RP2\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


win32.Trojan.Dnschanger Object Recognized!
Type : File
Data : A0004255.exe
TAC Rating : 10
Category : Monitoring Tool
Comment :
Object : C:\System Volume Information\_restore{9634A4EE-B101-403D-A904-FF5C53759F7F}\RP2\



Win32.TrojanDownloader.Adload Object Recognized!
Type : File
Data : A0007265.exe
TAC Rating : 10
Category : Virus
Comment :
Object : C:\System Volume Information\_restore{9634A4EE-B101-403D-A904-FF5C53759F7F}\RP2\



iSearch Toolbar Object Recognized!
Type : File
Data : A0007266.dll
TAC Rating : 4
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{9634A4EE-B101-403D-A904-FF5C53759F7F}\RP2\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


Adware.DollarRevenue Object Recognized!
Type : File
Data : deskbar.dll
TAC Rating : 10
Category : Adware
Comment :
Object : C:\!KillBox\
FileVersion : 1, 0, 0, 272
ProductVersion : 1, 0, 0, 1
ProductName : Deskbar
CompanyName : Deskbar
FileDescription : Deskbar
InternalName : Deskbar
LegalCopyright : Copyright 2001-2003. All rights reserved.
OriginalFilename : deskbar.dll


Softomate Toolbar Object Recognized!
Type : File
Data : Dc68.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\Recycled\



Disk Scan Result for C:\

New critical objects: 0
Objects found so far: 44


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".


Hosts file scan result:

1 entries scanned.
New critical objects:0
Objects found so far: 44




Performing conditional scans...


Adware.DollarRevenue Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : CurrentFont

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : FontSize

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : CurrentLayout

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : ToolbarIsFailed

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : corruptedMsg

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : uninstallMsg

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : updateMsg

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : autoUpdateMsg

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : versionError

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : connectionError

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : lastVersionMsg

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : firstURL

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : serverpath

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : updateUrl

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : urlAfterUpdate

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : urlAfterUninstall

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : OpenNew

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : AutoComplete

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : KeepHistory

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : RunSearchAutomatically

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : RunSearchDragAutomatically

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : DescriptiveText

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : ShowHighlightButton

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : UpdateAutomatically

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : Scope

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : MinibrowserDisplayResults

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : MinibrowserAutoClose

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : MinibrowserAnimated

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : EditWidthcombo1

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : EditWidthcombo2

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : toolbar_version

Adware.DollarRevenue Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\dbtb00001\deskbar
Value : firstTime

Win32.TrojanDownloader.Adload Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\policies\explorer

Win32.TrojanDownloader.Adload Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\policies\explorer
Value : NoStrCmpLogical

Win32.TrojanDownloader.Adload Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\policies\explorer
Value : NoClose

Softomate Toolbar Object Recognized!
Type : RegData
Data : 0
TAC Rating : 9
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown
Value : iexplore.exe
Data : 0

Softomate Toolbar Object Recognized!
Type : Folder
TAC Rating : 9
Category : Data Miner
Comment : Softomate Toolbar
Object : C:\Program Files\Deskbar

Conditional scan result:

New critical objects: 38
Objects found so far: 82

9:55:38 AM Scan Complete

Summary Of This Scan

Total scanning time:00:09:43.687
Objects scanned:119843
Objects identified:58
Objects ignored:0
New critical objects:58

BC AdBot (Login to Remove)

 


#2 xia0pr1nce

xia0pr1nce
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 10 November 2006 - 04:29 AM

bumpz

#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 11 November 2006 - 04:31 AM

Hello xia0pr1nce, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Sorry you had to wait a while, but our HijackThis Team is very busy at the moment, and we try to deal with the oldest logs first.

Please take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 11 November 2006 - 05:52 AM

Hey xia0pr1nce, sorry for the delay.

======

You need to put HijackThis into its own folder. It makes backups and they need to be kept all in one place.

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT". Now you have C:\HJT\ folder. Put your hijackthis.exe there.

======

Please download LSP-Fix from the following link and save it to a location you can find later if necessary.

LSP-Fix Download Link

======

Download ATF Cleaner by Atribune.

======

Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
If you do not have a firewall installed, please download and instal one of these excellent (and free) products: Zone Alarm or Sygate
It is important to note that you should only have one firewall installed at a time, but you can download both to your Desktop and install each in turn to see which one you prefer.

======

To remove New.net. please go to Add/Remove Programs via Control Panel, look for and remove New.Net. If you can't find it, then please go here and follow the removal instructions in Procedure 4 at the bottom of the page.

======

Try following the instructions found here for rebooting into Safe Mode, especially the "Using the System Configuration Tool Method". If this does not work for you just reboot into Normal mode again and follow my next steps...
If you can boot into Safe Mode, run them from there.

======

Now we'll run ATF Cleaner:Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

======

Reboot into Normal Mode again (If you managed to get into Safe Mode)

======

Open HijackThis
- Click the Config... button, then go to the Misc Tools section.
- Click on Open Uninstall Manager. You'll see a list of programs.
- Click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

=====

If you can not connect to the Internet after removing New.net, please run the LSP-Fix program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on.

======

Post me back a new HijackThis log, and the uninstall list please.
Can you also let me know if you were able to boot into Safe Mode using the other method?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 xia0pr1nce

xia0pr1nce
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 11 November 2006 - 06:11 AM

hey sorry.... thanks for e quick reply. ok i got all those crappy popups under controlled. my background is back to my lovely green WindowsXp. sadly, i still cant boot into safe mode. got a buggy system perhaps. oh btw i off my firewall cause i like to host games ^^

heres my current hijack this list

Logfile of HijackThis v1.99.1
Scan saved at 7:04:16 PM, on 11/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\program files\hamachi\hamachi.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\AcerGoto.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Madeline\inf.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Magic Keyboard\MagicKey.exe
C:\Program Files\Magic Keyboard\OSD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\irdvxc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\Andrew\LOCALS~1\Temp\Rar$EX00.031\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {66911D7A-E724-40FF-8113-8D5E103A6CB5} - C:\Program Files\WinRAR\tego.dll (file missing)
O2 - BHO: (no name) - {6BF0803B-B987-4E1C-A313-6A4ADA648BAE} - C:\Program Files\WinRAR\tego.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hamachi Startup] c:\program files\hamachi\hamachi.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Telecoms Center] expfix.exe
O4 - HKLM\..\Run: [Services] C:\Documents and Settings\Madeline\inf.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e53.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e53.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] expfix.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Telecoms Center] expfix.exe
O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe
O4 - Global Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF50A6C1-37F3-4B85-8E7E-643C57B71106}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe

hey i found some new bleep in my comp man. got any way to remove them? oh btw the uninstall thing

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Shockwave Player
ADSL Modem Driver Suite Product
Askey HSFi V.90(V.92) 56K PCI Modem
AVG Free Edition
Canon i455
Hamachi 1.0.0.62
HijackThis 1.99.1
Intel Application Accelerator
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment Standard Edition v1.3.1_18
Magic Keyboard
MapleStory
Medal of Honor Allied Assault
Microsoft Office Standard Edition 2003
mIRC
Mozilla Firefox (1.5.0.8)
MSXML4 Parser
NJStar Chinese WP
NTI CD-Maker 2000 Plus
NTI FileCD
NVIDIA Windows 2000/XP Display Drivers
Picasa 2
RealPlayer
Realtek AC'97 Audio
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB921883)
Spybot - Search & Destroy 1.4
Steam
Windows Live Messenger
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB835732
Windows XP Service Pack 1a
WinRAR archiver
Yahoo! Messenger
Zion

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 12 November 2006 - 06:23 AM

Hey, sorry for the delay. I'm afraid I have some bad news for you.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 xia0pr1nce

xia0pr1nce
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 12 November 2006 - 08:59 AM

omg!!! dang it man when did all these backdoor bleep come around???!

hehe good thing i dun bank or use paypal. i only play games hehe.

ok man im ready to battle with this spyware in my comp. btw it has always returned after some time after i reformat each time .....

PLEASE help me. no matter what it takes, i will fight to e end man. this wierd stuff has been sticking up my comp for some time and its about time to kick its butt.

*oh man btw those experts aint serious eh? comp cant be trusted again... but i trust my comp like my wife man! lol

Edited by xia0pr1nce, 12 November 2006 - 09:01 AM.


#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 13 November 2006 - 09:57 AM

Hey xia0pr1nce, sorry for the delay.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible, especially whilst in Safe Mode (you can't use the Internet)

======

oh man btw those experts aint serious eh? comp cant be trusted again... but i trust my comp like my wife man! lol

Yes, that is serious actually. With infections these days, we can only clean what we see; there may be some nasties that hide from us no matter how many scans we run...

======

Go to Start | Control Panel | Add/Remove Programs and remove the following (if they exist):

J2SE Runtime Environment 5.0 Update 6

Remember that these may require you to reboot your computer to complete the uninstallation- just let them.

======

You are still running HJT from a temporary directory, please move it using my last set of instructions. This is very important, as if it is in a TEMP folder it can't save backups.

======

Make sure that you can see hidden files.
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
======

Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

======

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

======

Copy and paste the following text into Notepad:

sc stop "Network helper Service"
sc delete "Network helper Service"
sc stop "Windows NT Logon Application"
sc delete "Windows NT Logon Application"
del services.bat

Save this as "services.bat" Choose to save as *all files and place it on your Desktop.

Double-click services.bat. Soon it should disappear from your Desktop; this is fine.

======

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {66911D7A-E724-40FF-8113-8D5E103A6CB5} - C:\Program Files\WinRAR\tego.dll (file missing)
O2 - BHO: (no name) - {6BF0803B-B987-4E1C-A313-6A4ADA648BAE} - C:\Program Files\WinRAR\tego.dll (file missing)
O4 - HKLM\..\Run: [Microsoft Telecoms Center] expfix.exe
O4 - HKLM\..\Run: [Services] C:\Documents and Settings\Madeline\inf.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e53.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e53.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] expfix.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] expfix.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

======

Now, please reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list.

======

Next, please find and delete the following files (if present):

C:\Documents and Settings\Madeline\inf.exe <--File
C:\dfndrff_e53.exe <--File
C:\kybrdff_e53.exe <--File
C:\WINDOWS\System32\irdvxc.exe <--File
C:\WINDOWS\system\winlogon.exe <--File, make sure you delete the one in a folder called "system".

======

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
======

Reboot into Normal Mode again.

======

Post me back the AVG log and a new HJT log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 xia0pr1nce

xia0pr1nce
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 13 November 2006 - 08:42 PM

alright man im getting to work.

i deleted that java thing... y u do that man? thats a malware? lol anyways i got a version 9 so nvm.

ive done the brute force thing successfully and it took kinda awhile.

then i dled the avg anti spyware thing.

oh btw for the service.bat thing, it doesnt really work. it didnt disappear from my desktop... but i hope it
had worked.

alright and i deleted the keys and the files. except for the winlogon thing.
When i used killbox and attemp to kill it, my comp crashed ( usually )...
it seems like i am unable to kill that file!!!

oh but thank goodness the avg anti spyware recognised it as a bkdoor spybot variant and i cleaned it.

ok enough crap. here are the reports

Logfile of HijackThis v1.99.1
Scan saved at 9:37:48 AM, on 11/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\program files\hamachi\hamachi.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\AcerGoto.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Magic Keyboard\MagicKey.exe
C:\Program Files\Magic Keyboard\OSD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\Rar$EX00.891\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hamachi Startup] c:\program files\hamachi\hamachi.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe
O4 - Global Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF50A6C1-37F3-4B85-8E7E-643C57B71106}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe (file missing)

DAMN!!! theres still that winlogon thing and that irdvxc

--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:33:23 AM 11/14/2006

+ Scan result:



C:\!KillBox\RP2\A0004208.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\!KillBox\RP2\A0004256.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\!KillBox\RP2\A0004257.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\!KillBox\RP2\A0004258.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\!KillBox\newdot~2.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\!KillBox\newdot~2.dll( 1) -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\Madeline\Local Settings\Temporary Internet Files\Content.IE5\4L23S9EJ\yz02[1].exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\Madeline\Local Settings\Temporary Internet Files\Content.IE5\IS6TUD12\yz02[1].exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9634A4EE-B101-403D-A904-FF5C53759F7F}\RP11\A0016393.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\!KillBox\RP2\A0004204.exe -> Backdoor.Rbot.bjx : Cleaned with backup (quarantined).
C:\!KillBox\RP2\A0003099.exe -> Backdoor.Rbot.bni : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9634A4EE-B101-403D-A904-FF5C53759F7F}\RP11\A0016401.EXE -> Backdoor.Rbot.bni : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9634A4EE-B101-403D-A904-FF5C53759F7F}\RP11\A0017274.exe -> Backdoor.Rbot.bni : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9634A4EE-B101-403D-A904-FF5C53759F7F}\RP11\A0017271.EXE -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\Program Files\mIRC\zion\plugins\zion_updater.mrc -> Backdoor.Small.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Madeline\Local Settings\Temporary Internet Files\Content.IE5\IS6TUD12\drsmartload44a[1].exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\Recycled\Dc1.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\!KillBox\RP2\A0004159.exe -> Downloader.Adload.hw : Cleaned with backup (quarantined).
C:\Documents and Settings\Madeline\school.exe -> Downloader.Adload.hw : Cleaned with backup (quarantined).
C:\!KillBox\RP2\A0004260.exe -> Downloader.Adload.ic : Cleaned with backup (quarantined).
C:\!KillBox\RP2\A0004162.exe -> Downloader.Adload.nad : Cleaned with backup (quarantined).
C:\!KillBox\RP2\A0004261.exe -> Downloader.Adload.nad : Cleaned with backup (quarantined).
C:\!KillBox\RP2\A0004158.exe -> Downloader.Small.duf : Cleaned with backup (quarantined).
C:\Documents and Settings\Madeline\Local Settings\Temporary Internet Files\Content.IE5\VIZB8XU4\lucifier[1].exe -> Downloader.Small.duf : Cleaned with backup (quarantined).
C:\Documents and Settings\Madeline\Local Settings\Temporary Internet Files\Content.IE5\0Z1IEMU4\popup[1].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Madeline\Local Settings\Temporary Internet Files\Content.IE5\0Z1IEMU4\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Program Files\Common Files\tele.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\Windows NT\wonohuce.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\!KillBox\RP2\A0004240.EXE -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\!KillBox\inf.exe -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\!KillBox\inf.exe( 1) -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9634A4EE-B101-403D-A904-FF5C53759F7F}\RP11\A0016400.exe -> Proxy.Ranky : Cleaned with backup (quarantined).
:mozilla.127:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.178:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.56:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.90:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.91:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.91:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.92:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Madeline\Cookies\madeline@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Madeline\Cookies\madeline@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.100:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.131:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.132:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.133:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.139:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.199:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.38:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.39:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.40:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.96:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.97:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.98:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.99:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Madeline\Cookies\madeline@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.140:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.32:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.33:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.184:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.185:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.35:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.36:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.19:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\n3t2x028.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.36:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.37:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Andrew\Cookies\anyuser@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Dad\Cookies\dad@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.57:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Madeline\Cookies\madeline@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.172:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.173:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.174:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.175:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.48:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.49:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.50:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.107:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.198:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.168:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.15:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.93:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Andrew\Cookies\anyuser@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.101:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Andrew\Cookies\anyuser@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.39:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.40:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.41:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.42:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.43:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.44:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.45:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.46:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.46:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.47:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.175:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.238:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.239:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.241:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.242:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.68:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.69:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.70:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.71:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.72:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.204:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.98:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.15:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.87:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.102:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.103:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.104:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.66:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.67:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.169:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned.
C:\Documents and Settings\Madeline\Cookies\madeline@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Madeline\Cookies\madeline@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.120:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.121:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.122:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.123:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Madeline\Cookies\madeline@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
:mozilla.124:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.125:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.126:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.127:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.128:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.129:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.233:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.234:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.235:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.200:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.84:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.85:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.86:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.87:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.97:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.25:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.26:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.27:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.28:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Madeline\Cookies\madeline@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
:mozilla.151:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.152:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.153:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.154:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.155:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.156:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.53:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.10:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-22.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.10:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-23.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.11:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-46.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.11:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-47.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.11:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-48.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.11:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-49.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-24.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-25.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-26.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-27.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-28.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-29.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-30.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-31.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-32.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-33.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-34.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-35.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-36.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-37.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-38.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-39.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-40.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-41.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-42.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-43.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-44.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies-45.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.157:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.34:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.54:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.55:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.56:C:\Documents and Settings\Madeline\Application Data\Mozilla\Firefox\Profiles\ux1agr32.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.19:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.20:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.21:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.22:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.23:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.24:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Madeline\Cookies\madeline@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.250:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.251:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.252:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.253:C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.


::Report end

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 14 November 2006 - 10:09 AM

Hello Xia0pr1nce

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible, especially whilst in Safe Mode (you can't use the Internet)

======

i deleted that java thing... y u do that man? thats a malware? lol anyways i got a version 9 so nvm.

No, it's not malware, but old versions can be exploited by malware, so keeping it is a security threat.

oh btw for the service.bat thing, it doesnt really work. it didnt disappear from my desktop... but i hope it
had worked.

Hmm, okay. It looks like it did work..

Can I also ask you not to use KillBox unless specifically told to by me, especially for the files I want you to delete, we'll try manual deletions first, and if needed later we'll use something a bit stronger.

======

You need to put HijackThis into its own folder. It makes backups and they need to be kept all in one place.

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT". Now you have C:\HJT\ folder. Put your hijackthis.exe there.

======

Please download ATF Cleaner by Atribune.

======

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

======

Now, please reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list.

======

Next, please find and delete the following files/folders (if present):

C:\WINDOWS\System32\irdvxc.exe
C:\WINDOWS\system\winlogon.exe

======Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

======

Reboot into Normal Mode.

======

Post me back a new HJT log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 xia0pr1nce

xia0pr1nce
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 14 November 2006 - 08:38 PM

alright man. i think i got it this time


Logfile of HijackThis v1.99.1
Scan saved at 9:33:00 AM, on 11/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\program files\hamachi\hamachi.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\AcerGoto.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Magic Keyboard\MagicKey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Magic Keyboard\OSD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\Rar$EX00.641\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hamachi Startup] c:\program files\hamachi\hamachi.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe
O4 - Global Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF50A6C1-37F3-4B85-8E7E-643C57B71106}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 15 November 2006 - 10:44 AM

Please run Panda's ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open- click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report in your next reply
======

Post me the Panda log and let me know- how are things running?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 xia0pr1nce

xia0pr1nce
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 16 November 2006 - 06:33 PM

alright baby ive got it scanned. btw that panda thing sux... it doesnt like firefox :thumbsup: so i have to used internet explorer which i dislike. but anyways heres the report. found new crap!!!


Incident Status Location

Virus:Trj/Agent.DBF Disinfected Operating system
Spyware:Cookie/YieldManager Not disinfected C:\FOUND.000\FILE0008.CHK
Spyware:Cookie/WUpd Not disinfected C:\FOUND.000\FILE0023.CHK
Spyware:Cookie/Mammamediasolutions Not disinfected C:\FOUND.000\FILE0026.CHK
Spyware:Cookie/YieldManager Not disinfected C:\FOUND.000\FILE0031.CHK
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\i
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\swsc.exe
Virus:Trj/Agent.DBF Disinfected C:\WINDOWS\system32\.exe
Virus:Trj/Agent.DBF Disinfected C:\WINDOWS\system32\irdvxc.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\YW5kcmV3IHRvaA\sqc4wApaKJlSuE.vbs
Potentially unwanted tool:Application/ProcKill.A Not disinfected C:\Documents and Settings\Andrew\Desktop\Other Crap\GameXP\GameXP.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew\Desktop\Other Crap\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew\Desktop\Other Crap\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew\Desktop\Other Crap\SmitfraudFix\SmitfraudFix\Process.exe
Possible Virus. Not disinfected C:\Documents and Settings\Andrew\Desktop\Other Crap\SmitfraudFix\SmitfraudFix\swsc.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew\Desktop\Other Crap\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Andrew\Desktop\Other Crap\SmitfraudFix.zip[SmitfraudFix/swsc.exe]
Potentially unwanted tool:Application/ProcKill.A Not disinfected C:\Documents and Settings\Andrew\Desktop\WinRAR Archives\GameXP.zip[GameXP.exe]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@atdmt[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt[.overture.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\8k0go2qg.default\cookies.txt[.ads.addynamix.com/]
Adware:Adware/SearchAid Not disinfected C:\!KillBox\RP2\A0004254.vbs
Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\RP2\A0004259.exe
Possible Virus. Not disinfected C:\!KillBox\RP2\A0004268.exe
Possible Virus. Not disinfected C:\!KillBox\RP2\A0007257.exe
Spyware:Cookie/Zedo Not disinfected C:\!KillBox\cookies.txt[.zedo.com/]
Spyware:Cookie/Tickle Not disinfected C:\!KillBox\cookies.txt[.tickle.com/]

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 17 November 2006 - 10:25 AM

Hello xia0pr1nce, sorry for the delay. :thumbsup:

======

Reboot into Safe Mode and delete these files/folders:

C:\WINDOWS\YW5kcmV3IHRvaA <--Folder

======

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
======

Reboot into Normal Mode.

======

This was in your AVG log:

Potentially unwanted tool:Application/ProcKill.A Not disinfected C:\Documents and Settings\Andrew\Desktop\Other Crap\GameXP\GameXP.exe

Do you know what it is? If so, please let me know.

======

Let me know- how are things running?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 xia0pr1nce

xia0pr1nce
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 17 November 2006 - 09:44 PM

alright. so i suppose my system is healed already :thumbsup: ?

oh that thing. u can check it out at -> theorica.net

i used it to optimize my comp to boost its performance for gaming by ... somestuff i dunno what it does

but i just know that its not harmful.

things are fine and i dun get any crap ads anymore and my comp runs at the max!

Edited by xia0pr1nce, 17 November 2006 - 09:45 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users