Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Aftermath


  • This topic is locked This topic is locked
10 replies to this topic

#1 lev5c

lev5c

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 03 December 2006 - 07:39 PM

After 4 days of trial and error I have apparently gotten rid of the vundo related "WinAntiVirus 2006 Pro" crap with all it's unbearable url redirections and popups. When and where I was infected is beyond me. The problem is, I am now trying to clean up the mess left by all the registry changes, deletions, reboots, etc.

I am experiencing some taskbar/quicklaunch issues (small icons are not small, buttons aren't wide enough to read) and explorer.exe seems to end/restart approx. 30sec after each reboot. I have tried a couple of fixes - xp_taskbar_desktop_fixall.vbs and taskbaricons.vbs to no avail. My graphics card drivers are up to date and working fine at 1280x1024 as always.

After dealing with that virus, this is almost comical.
But, I am finally breaking down and posting here for the first time.
Any help would be greatly appreciated. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 4:27:38 PM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sistray.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Technician\My Documents\stuff\brave fix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8010
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\dapiebar.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Just noticed msiexec.exe - maybe the problem with explorer?

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:48 PM

Posted 14 December 2006 - 06:47 AM

Hello lev5c, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 lev5c

lev5c
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 14 December 2006 - 02:06 PM

Thank g*d!

Thought I was on my own. I noticed a couple more things that started happening at the same time.

1. The explorer issue happens when opening some folders. I know "my computer" always takes a sec to read the drives. But the taskbar, systray, and windows should not dissapear/reappear when opening "program files".

2. When I drag a window or, more specifically, an odd shaped object such as windows media player, the selection area outline is the "true" area occupied by the program (much bigger and square). I thought maybe the transparent window option was checked/unchecked in |control panel>display>appearance>effects. Right? The button doesn't work.

3. When I drag icons, there is a 2px white horizontal line under the icon but above the text.

4. Star menu>"All programs" button does not work.

This all probably seems pretty trivial, but if I ignore it then I have been defeated.

Edited by lev5c, 14 December 2006 - 02:46 PM.


#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:48 PM

Posted 15 December 2006 - 12:40 PM

IMPORTANT
Your log shows that you are seriously behind on Windows updates. It is essential that you update your Internet Explorer version with Service Pack 1 before we continue to help you as the infections could reoccur.

Visit Microsoft's Internet Explorer 6 Service Pack 1 download site and download and install the update for SP1. If needed, change the language to your own language before installing the update for SP1. When it prompts you to reboot, do so.
NOTE: Please do not install any other updates yet, because this can cause troubles if installed on an infected PC.


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


Your log shows that an administrative lock down has been set for changing the options or home page in Internet Explorer by changing certain settings in the registry. These options should only appear if an administrator set them on purpose or if you used certain features in the Immunize section of Spybot – Search & Destroy. If you or an administrator didn’t set these options on purpose, please put a checkmark by this entry as well if it is present:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Now close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

Step #2
Go to Control Panel > Add/Remove Programs and uninstall ewido anti-spyware 4.0 if listed. A new program version is available for download: AVG Anti-Spyware 7.5.

Please download AVG Anti-Spyware 7.5 from the link below and save it to your Desktop.
Download AVG Anti-Spyware 7.5

Once downloaded, locate the icon on your Desktop and double-click on it to launch the setup program. Follow the on-screen instructions to install AVG Anti-Spyware.

Before running AVG Anti-Spyware, it is mandatory that you update its definition files. Follow these instructions to update and configure the program:
1. Start AVG Anti-Spyware.
2. Click the Update icon at the top of the screen. On the newly presented screen, click the button labelled "Start Update". The update process will start.
3. Once the update has completed, select the Scanner icon at the top of the screen, followed by clicking the Settings tab.
4. In the newly presented screen, click on the link named "Recommended actions" and then select the Quarantine option.
5. Under Reports, select the radio button labelled "Automatically generate report after every scan". Unselect the checkbox labelled "Only if threats were found".
6. Close AVG Anti-Spyware 7.5.

Now reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

When in Safe Mode, please follow these instructions to run AVG Anti-Spyware:
1. Close all windows so that you have nothing open and lauch AVG Anti-Spyware by double-clicking the icon on your Desktop.
2. Click the Scanner icon at the top of the screen and select the Scan tab.
3. Click on the "Complete System Scan" icon and AVG Anti-Spyware will begin the scanning process. Be patient as this may take some time.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess.
4. When the scan has finished, AVG Anti-Spyware will list any infections found on the left-hand side. It should automatically set the recommended action to Quarantine.
5. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right-hand side.
6. Click on the button labelled "Save Report", followed by pressing the "Save Report As" button. This will create a text file. Make sure you know where to find this file again.
7. Close AVG Anti-Spyware.
8. Reboot your computer to boot back into normal mode.

Please post the entire contents of the saved text file in your next reply.

Step #3
Please perform an online scan with Kaspersky Online Scanner (click).
Follow these instructions:
1. Click on the button labelled "Kaspersky Online Scanner".
2. You will be prompted to install an ActiveX component from Kaspersky. Install it.
3. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT.
4. Now click on "Scan Settings".
5. In the scan settings, make sure the following are selected:

Scan using the following Anti-Virus database:
Extended (if available, otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

6. Click OK.
7. Now under select a target to scan, select My Computer.

The program will start and scan your system.
NOTE: The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected. Click on the button labelled "Save as Text" and save a text file to your Desktop. Copy and paste that information in your next post.

Step #4
Please download Combofix and save it to your Desktop.
Download combofix.exe

Once downloaded, double-click combofix.exe and follow the on-screen prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

NOTE: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall!

Step #5
Scan with HijackThis again and post a new HijackThis log.

Edited by htv8, 15 December 2006 - 12:42 PM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 lev5c

lev5c
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 15 December 2006 - 11:57 PM

I tried installing the update and got the following message:

Setup has detecteda newer version of Internet Explorer installed on this system. Setup cannot continue.

What should I do now? I've had the same version of IE6 since summer of '05 when I installed XP.

This is what shows in Help>About IE

Version: 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
Update Versions: 0

#6 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:48 PM

Posted 16 December 2006 - 07:05 AM

OK. Skip the update for Internet Explorer and continue with the rest of the instructions. It appears that you are fully updated though. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#7 lev5c

lev5c
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 16 December 2006 - 09:36 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:58:34 PM 12/16/2006

+ Scan result:



C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0077756.exe -> Adware.Spysheriff : Cleaned.
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0107132.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0107130.ocx -> Downloader.IstBar : Cleaned.
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0107131.exe -> Downloader.Small.dam : Cleaned.
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0106818.exe -> Not-A-Virus.Hacktool.EvID : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@msnservices.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@ehg-etoys.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Technician\Cookies\technician@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\system.exe -> Trojan.Sinowal.bi : Cleaned.


::Report end

-----------------------------------------------------------------------------------------------------------------------------


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 16, 2006 5:21:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 16/12/2006
Kaspersky Anti-Virus database records: 251324
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 113194
Number of viruses found: 11
Number of infected objects: 29 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:20:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Technician\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Technician\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Technician\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Technician\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Technician\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Technician\Local Settings\History\History.IE5\MSHist012006121620061217\index.dat Object is locked skipped
C:\Documents and Settings\Technician\Local Settings\Temp\Perflib_Perfdata_474.dat Object is locked skipped
C:\Documents and Settings\Technician\Local Settings\Temp\Perflib_Perfdata_778.dat Object is locked skipped
C:\Documents and Settings\Technician\Local Settings\Temp\Perflib_Perfdata_7f0.dat Object is locked skipped
C:\Documents and Settings\Technician\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Technician\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Technician\ntuser.dat.LOG Object is locked skipped
C:\HJT\backups\backup-20061202-152400-779.dll Infected: Trojan.Win32.BHO.g skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\xampp\apache\logs\access.log Object is locked skipped
C:\Program Files\xampp\apache\logs\error.log Object is locked skipped
C:\Program Files\xampp\apache\logs\ssl_request.log Object is locked skipped
C:\Program Files\xampp\mysql\data\PC1.err Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010004.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP105\A0025245.exe/WISE0015.BIN/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP105\A0025245.exe/WISE0015.BIN/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP105\A0025245.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP105\A0025245.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP105\A0025245.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP105\A0025245.exe WiseSFX: infected - 5 skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0044032.exe/VVSNInst.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0044032.exe CreateInstall: infected - 1 skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0076091.exe/simplevlc.dll Infected: not-a-virus:Porn-Tool.Win32.Porn2Peer.a skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0076091.exe/giFT.dll Infected: not-a-virus:Porn-Tool.Win32.Porn2Peer.a skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0076091.exe/giFTl.exe Infected: not-a-virus:Porn-Tool.Win32.Porn2Peer.a skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0076091.exe/Zango.exe Infected: not-a-virus:AdTool.Win32.WinAD.bv skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0076091.exe SetupFactory: infected - 4 skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0076092.exe/Stream/data0008 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0076092.exe/Stream Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0076092.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0106817.dll Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0107340.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0107341.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0107342.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\A0119687.exe Infected: Trojan-PSW.Win32.Sinowal.bi skipped
C:\System Volume Information\_restore{0629390B-594D-4E45-A34B-BBC0147E144E}\RP151\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\PC1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\BCRBFOKC.0LL Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd6781.sys Object is locked skipped
C:\WINDOWS\system32\EFQNJTTF.0LL Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINDOWS\system32\eyqgmjpu.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\IPYTBBOL.0LL Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINDOWS\system32\kernels88.exe Infected: Trojan-Downloader.Win32.Tibs.jr skipped
C:\WINDOWS\system32\sktkjnyx.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\vrsnibeu.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_7fc.dat Object is locked skipped
C:\WINDOWS\temp\ZLT0513e.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT05141.TMP Object is locked skipped
C:\WINDOWS\temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

-----------------------------------------------------------------------------------------------------------------------------



Technician - 06-12-16 17:34:27.35 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Technician\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe


((((((((((((((((((((((((((((((( Files Created from 2006-11-16 to 2006-12-16 ))))))))))))))))))))))))))))))))))


2006-12-16 15:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-12-16 15:24 <DIR> d-------- C:\WINDOWS\LastGood
2006-12-16 11:26 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-16 11:26 <DIR> d-------- C:\Program Files\Grisoft
2006-12-15 09:09 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2006-12-14 18:26 <DIR> d-------- C:\Program Files\BurnRight! CD & DVD
2006-12-13 16:09 <DIR> dr-h----- C:\Documents and Settings\Technician\Recent
2006-12-13 16:09 <DIR> dr-h----- C:\Documents and Settings\Technician\Recent
2006-12-12 23:21 <DIR> d-------- C:\Program Files\FileZilla
2006-12-12 21:45 <DIR> d-------- C:\Program Files\xampp
2006-12-12 20:39 8,704 --a------ C:\WINDOWS\system32\infoctrs.dll
2006-12-12 20:37 116,720 --a------ C:\WINDOWS\system32\convlog.exe
2006-12-12 20:33 6,144 --a------ C:\WINDOWS\system32\admxprox.dll
2006-12-12 20:29 <DIR> d-------- C:\WINDOWS\system32\Logfiles
2006-12-12 20:29 <DIR> d-------- C:\Inetpub
2006-12-06 22:00 <DIR> d-------- C:\Documents and Settings\Technician\Application Data\CyberLink
2006-12-06 21:55 <DIR> d-------- C:\Program Files\CyberLink
2006-12-06 15:21 <DIR> d-------- C:\Program Files\Bradbury
2006-12-05 11:55 8,215 --a------ C:\WINDOWS\system32\kernels88.exe
2006-12-05 11:55 0 --a------ C:\WINDOWS\system32\dlh9jkd1q8.exe
2006-12-02 14:41 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-02 14:00 <DIR> d-------- C:\VundoFix Backups
2006-12-02 13:17 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2006-12-02 12:30 <DIR> d-------- C:\Documents and Settings\Administrator
2006-12-01 16:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-01 15:54 <DIR> d-------- C:\HJT
2006-12-01 12:37 <DIR> d-------- C:\WINDOWS\pss
2006-12-01 11:24 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-01 11:24 <DIR> d-------- C:\Program Files\Zone Labs
2006-11-30 14:57 88,340 --a------ C:\WINDOWS\system32\eyqgmjpu.exe
2006-11-30 14:57 42,516 --a------ C:\WINDOWS\system32\vrsnibeu.dll
2006-11-26 13:09 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2006-11-26 13:08 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2006-11-26 13:08 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2006-11-26 13:08 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2006-11-26 13:08 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2006-11-26 13:08 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2006-11-26 13:08 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2006-11-26 13:08 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2006-11-26 13:08 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2006-11-26 13:08 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2006-11-25 12:42 <DIR> d-------- C:\Documents and Settings\Technician\Application Data\iMesh
2006-11-25 12:41 <DIR> d-------- C:\Program Files\iMesh Applications
2006-11-21 15:55 <DIR> d-------- C:\Documents and Settings\Technician\Application Data\PCF-VLC
2006-11-21 15:31 <DIR> d-------- C:\Documents and Settings\Technician\Application Data\Participatory Culture Foundation
2006-11-21 15:30 <DIR> d-------- C:\Program Files\Democracy Player


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-16 17:35 -------- d-------- C:\Program Files\Common Files
2006-12-14 16:37 -------- d-------- C:\Documents and Settings\Technician\Application Data\uTorrent
2006-12-10 19:34 -------- d-------- C:\Program Files\Soldier of Fortune II - Double Helix GOLD
2006-12-09 08:48 -------- d-------- C:\Program Files\Security Task Manager
2006-12-06 21:55 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-05 23:02 -------- d-------- C:\Documents and Settings\Technician\Application Data\KlipFolio
2006-12-05 16:35 -------- d-------- C:\Program Files\DeluxeFTP
2006-12-02 14:58 -------- d-------- C:\Program Files\Internet Explorer
2006-12-02 14:56 -------- d-------- C:\Program Files\DVD Region-Free
2006-12-02 14:53 -------- d-------- C:\Program Files\AlienGUIse
2006-12-02 09:45 984576 --a------ C:\WINDOWS\system32\syssetup.dll
2006-12-02 09:25 -------- d-------- C:\Documents and Settings\Technician\Application Data\Launchy
2006-11-25 18:28 154624 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-11-25 18:28 -------- d-------- C:\Program Files\Illustrate
2006-11-25 11:20 -------- d-------- C:\Documents and Settings\Technician\Application Data\Macromedia
2006-11-19 15:20 -------- d-------- C:\Program Files\Burn4Free
2006-11-15 10:05 -------- d-------- C:\Documents and Settings\Technician\Application Data\Adobe
2006-11-14 17:19 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-11-14 17:17 -------- d-------- C:\Program Files\Adobe
2006-11-14 17:15 -------- d-------- C:\Program Files\Common Files\Adobe
2006-11-14 13:23 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2006-11-14 08:34 -------- d-------- C:\Program Files\Northgate
2006-11-09 16:13 -------- d-------- C:\Program Files\Launchy
2006-11-06 15:35 110612 --a------ C:\WINDOWS\system32\sktkjnyx.exe
2006-11-06 10:31 -------- d-------- C:\Documents and Settings\Technician\Application Data\ATI
2006-11-06 10:28 -------- d-------- C:\Program Files\ATI Technologies
2006-11-06 10:27 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-06 09:42 -------- d-------- C:\Program Files\Driver Cleaner Pro
2006-11-05 20:01 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2006-11-04 22:34 99776 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2006-10-31 09:41 -------- d-------- C:\Program Files\dvdSanta
2006-10-29 11:22 99965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-10-29 11:22 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-21 12:02 -------- d-------- C:\Program Files\BitTorrent
2006-09-26 17:52 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2006-09-26 17:50 260608 --a------ C:\WINDOWS\system32\ati2dvag.dll
2006-09-26 17:43 90112 --a------ C:\WINDOWS\system32\ati2evxx.dll
2006-09-26 17:43 77824 --a------ C:\WINDOWS\system32\Oemdspif.dll
2006-09-26 17:43 41984 --a------ C:\WINDOWS\system32\ati2edxx.dll
2006-09-26 17:43 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2006-09-26 17:43 118784 --a------ C:\WINDOWS\system32\atipdlxx.dll
2006-09-26 17:41 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2006-09-26 17:41 425984 --a------ C:\WINDOWS\system32\ati2evxx.exe
2006-09-26 17:34 2415648 --a------ C:\WINDOWS\system32\ati3duag.dll
2006-09-26 17:29 1086144 --a------ C:\WINDOWS\system32\ativvaxx.dll
2006-09-26 17:23 6684672 --a------ C:\WINDOWS\system32\atioglx1.dll
2006-09-26 17:21 5144576 --a------ C:\WINDOWS\system32\atioglxx.dll
2006-09-26 17:18 303104 --a------ C:\WINDOWS\system32\ATIDEMGR.dll
2006-09-26 17:16 221184 --a------ C:\WINDOWS\system32\atikvmag.dll
2006-09-26 17:15 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2006-09-26 17:10 294912 --a------ C:\WINDOWS\system32\ati2cqag.dll
2006-09-25 07:45 666240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-09-25 07:37 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"SiS Tray"="C:\\WINDOWS\\system32\\sistray.EXE"
"SiS Windows KeyHook"="C:\\WINDOWS\\system32\\keyhook.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"WIAWizardMenu"="RUNDLL32.EXE C:\\WINDOWS\\system32\\sti_ci.dll,WiaCreateWizardMenu"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,d4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoStartMenuMorePrograms"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoMovingBands"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061216-112308-703
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
backup-20061216-112307-486
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20061216-112306-267
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20061216-112306-444
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
backup-20061216-112306-393
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20061216-112306-235
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20061216-112306-630
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20061216-112306-476
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20061202-152400-621
O2 - BHO: (no name) - {9CCDE9F6-DFA5-4B11-B89F-3C2A03F0242F} - C:\WINDOWS\system32\jkkjj.dll (file missing)
backup-20061202-152400-779
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\vrsnibeu.dll
backup-20061202-104257-147
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20061202-104137-380
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
backup-20061202-104137-190
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
backup-20061202-104136-242
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
backup-20061202-104135-566
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
backup-20061202-104136-847
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
backup-20061201-161234-427
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
backup-20061201-161233-902
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
backup-20061201-161231-175
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
backup-20061201-161230-230
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
backup-20061201-161228-690
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay125.hotmail.msn.com/resources/MsnPUpld.cab
backup-20061201-161226-756
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
backup-20061201-161224-635
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
Completion time: 06-12-16 17:40:52.73
C:\ComboFix.txt ... 06-12-16 17:40

-----------------------------------------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 6:18:06 PM, on 12/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sistray.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8010
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\dapiebar.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Program Files\xampp\service.exe

-----------------------------------------------------------------------------------------------------------------------------

Thats everything! Thanks for all your help so far :thumbsup:

#8 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:48 PM

Posted 17 December 2006 - 12:32 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
Scan again with HijackThis. Put a checkmark by this entry if it is present, double-checking to be sure that only this entry is checked:
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab

Close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

Step #2
Please download ATF Cleaner from the link below, but do not use the program yet.
Download ATF Cleaner

Step #3
First enable the viewing of hidden files in Windows XP by following these steps:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode.Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following files (do not be concerned if they do not exist):
C:\WINDOWS\system32\BCRBFOKC.0LL
C:\WINDOWS\system32\EFQNJTTF.0LL
C:\WINDOWS\system32\eyqgmjpu.exe
C:\WINDOWS\system32\IPYTBBOL.0LL
C:\WINDOWS\system32\kernels88.exe
C:\WINDOWS\system32\sktkjnyx.exe
C:\WINDOWS\system32\vrsnibeu.dll
C:\WINDOWS\system32\dlh9jkd1q8.exe

Step #4
You downloaded ATF Cleaner before. Now follow these instructions to run ATF Cleaner when still in Safe Mode:
1. Double-click ATF-Cleaner.exe to run the program.
2. Click once on the Main tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
3. Then click on the button labelled "Empty Selected".

If you use the Mozilla Firefox browser, please follow these instructions as well:
1. Click once on the Firefox tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser, please follow these instructions as well:
1. Click once on the Opera tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Now click the Exit button on the Main tab to exit the program. Reboot your computer to boot back into normal mode.

Step #5
Please provide me an uninstall list by performing these instructions:
1. Open HijackThis.
2. Click once on the Config... button.
3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
4. Click on the button labelled "Open Uninstall Manager...". You'll see a list of currently installed programs.
5. Click on the button labelled "Save list..." and specify where you would like to save the uninstall list.

When you press the Save button, Notepad will open up with the contents of that file. Copy and paste the contents of that Notepad file as a reply to this topic.

Step #6
Scan with HijackThis again and post a new HijackThis log.
Also let me know how your computer is running and what problems you are still experiencing.

Edited by htv8, 17 December 2006 - 12:34 PM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#9 lev5c

lev5c
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 17 December 2006 - 01:35 PM

Here is the uninstall list created by HijackThis -->

µTorrent
Ad-Aware SE Personal
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Photoshop CS2
Adobe Reader 7.0.5
Adobe Shockwave Player
Adobe Stock Photos 1.0
AlienGUIse Theme Manager
AlienGUIse Theme Manager
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.3
AudioCommander
AusLogics Disk Defrag
avast! Antivirus
AVG Anti-Spyware 7.5
AXIS Media Control
Azureus
Burn4Free CD & DVD 1.1.5.0
BurnRight! CD & DVD
CCleaner (remove only)
C-Media 3D Audio
dBpowerAMP Music Converter
DeluxeFTP 6.0.1
Democracy Player 0.9.1
DFX for Winamp
DH Driver Cleaner Professional Edition
DivX Codec 3.1alpha release
Download Accelerator Plus (DAP)
DVD Decrypter (Remove Only)
DVD Region-Free 3.10
DVD Shrink 3.1.4
dvdSanta 4.00
EPSON Printer Software
EPSON TWAIN 5
Eusing Free Registry Cleaner
eXeem 0.27
File Writer output plugin for WinAMP 2 v1.17© (remove only)
FileZilla (remove only)
FL Studio 5
Foundstone SiteDigger 2.0
Geiss2 for Winamp 2x (remove only)
Global Brute Forcer
GTK+ 2.6.9 runtime environment
HijackThis 1.99.1
HSP56 Modem Drivers
I am There
IconPackager
iMesh
Intel A/V Codecs V2.0
Java 2 Runtime Environment, SE v1.4.2_11
Java Launcher 3.10
Kaspersky Online Scanner
Kazaa Lite Resurrection 0.0.7.6 F
KlipFolio (remove only)
K-Lite Mega Codec Pack 1.02
Launchy 1.0 Beta
LimeWire PRO 4.8.1
Logon Loader 3.0
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia FreeHand 10
Microsoft .NET Framework 1.1
Microsoft Web Embedding Fonts Tool (III)
Mozilla Firefox (1.0.7)
Panda ActiveScan
PCPitstop Panda AntiVirus Scan (remove only)
Philips FunCam
Philips FunCam Photo Manager
PIXresizer 1.0.8
PowerDVD
QuickTime
ROR Sitemap Generator 1.0
SecondLife (remove only)
Security Task Manager 1.7
Shutdown
SiS 661FX_760_741_M661FX_M760_M741
SiS 900 PCI Fast Ethernet Adapter Driver
SkinStudio Free
SmartSound Quicktracks Plugin
Soldier of Fortune II - Double Helix GOLD
Spybot - Search & Destroy 1.4
Start Menu Tuner 1.2
Super DVD Creator 8.0
TeamSpeak 2 RC2
TopStyle (Version 3)
Verizon Online DSL
Verizon Online Help & Support
Viewpoint Media Player
VobSub v2.05 (Remove Only)
Winamp (remove only)
WinAVIVideoConverter
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
XAMPP 1.5.5
ZipGenius 6 (6.0.2.1060)
ZoneAlarm

-----------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:19:17 AM, on 12/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sistray.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8010
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\dapiebar.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Program Files\xampp\service.exe

-----------------------------------------------------------------------------------------------------------------------------

I found and deleted all 8 of those files. It's amazing what turns up when the right sequence of steps is followed. I haven't noticed a difference in performance, yet. I'm still experiencing the symptoms previously listed. :thumbsup:

Edited by lev5c, 17 December 2006 - 01:36 PM.


#10 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:48 PM

Posted 17 December 2006 - 04:35 PM

From the way you describe the problems that you are having, it could be that the huge amount of theme modification applications that is installed and running on your computer causes them. Theme modification applications can cause display or improper usage problems...

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
I see Viewpoint installed. Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. This will change from what we know in 2006. For more information about this, see this reference: Viewpoint to Plunge Into Adware. Additional information here: Viewpoint.

I suggest to remove this program. If you agree, go to Start > Control Panel > Add/Remove Programs and remove the following entry:
Viewpoint Media Player

Step #2
You most likely got infected through file sharing. The following P2P/File Sharing (related) programs are installed on your machine:
µTorrent
Azureus
eXeem 0.27
iMesh
Kazaa Lite Resurrection 0.0.7.6 F
LimeWire PRO 4.8.1


These programs are what we call optional fixes. They are related to peer-to-peer programs. Aside from the obvious legal issues, file sharing is one of the primary ways through which people become infected with malware. Anytime you are running any type of P2P application, you are more prone to infection by malware. The choice to remove it is entirely up to you, but I would strongly recommend that you get rid of it by going to Control Panel > Add/Remove Programs. If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.

Step #3
Please provide me some more information about the I am There application that is installed on your computer. I could find no information regarding this application and it makes me suspicious.
Also let me know if you installed the Global Brute Forcer program yourself.

Step #4
You need to update your Sun Java Console. Older versions have vulnerabilities that malware can and are using to infect systems.
Please perform these instructions to update your Sun Java Console:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and check any item with Java Runtime Environment (JRE) in the name.
3. Click the Remove or Change/Remove button next to these items to remove all versions of Java.
4. Reboot your computer.
5. Download and install the latest version of Java Runtime Environment (JRE) 6 (click).

Step #5
Scan with HijackThis and post a new HijackThis log.

Edited by htv8, 17 December 2006 - 04:37 PM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#11 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:48 PM

Posted 28 December 2006 - 11:08 AM

Due to the lack of feedback, this topic is closed.
To get it reopened, PM a staff member with the address of this thread. This applies to the original topic starter only. Everyone else with similar problems, please start a new topic. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users