Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Errorsafe


  • This topic is locked This topic is locked
30 replies to this topic

#1 Lucidles

Lucidles

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 16 January 2007 - 08:54 PM

Hi

As you can tell by the title I am infected with Errorsafe. I have had a few goes at getting rid of it but to no avail. Please find my Hijackthis log below. I do so hope you can help. Thank you. :thumbsup:

Les


Logfile of HijackThis v1.99.1
Scan saved at 00:43:48, on 17/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Twain_32\MiniCam\GiGiSrv.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FreeNote\FreeNote.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\XP Tools\xptools.exe
C:\Program Files\XP Tools\xptools.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
C:\Program Files\Breit Technologies\Reminder Buddy\ReminderBuddy.exe
C:\Program Files\Record-Anything\RecordAnything.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kas\My Documents\My Received Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Les's Hunt For The Truth - The Nightmare Begins.
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: FoxyTunes Toolbar Helper - {784D8FBC-4165-4D88-90FB-62907ACDD045} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FoxyTunes Toolbar - {1D1901C3-F72A-46f3-9DBB-0AAA0DEEF6DF} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O4 - HKLM\..\Run: [GiGiSrv] C:\WINDOWS\Twain_32\MiniCam\GiGiSrv.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\HELP\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeNote] C:\Program Files\FreeNote\FreeNote.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [XP Tools] C:\Program Files\XP Tools\xptools.exe /min
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p
O4 - Startup: ReminderBuddy.lnk = C:\Program Files\Breit Technologies\Reminder Buddy\ReminderBuddy.exe
O4 - Startup: Record-Anything.lnk = C:\Program Files\Record-Anything\RecordAnything.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: Ashampoo Magical Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.winnanny.com
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1144064095999
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148145794264
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

BC AdBot (Login to Remove)

 


#2 Lucidles

Lucidles
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 18 January 2007 - 04:39 AM

Hi

I did post a hijack his log a couple of days ago but I seemed to have been missed as I noticed later posts getting assistance while I still had no reply. I'm sure it was just an oversight. Anyway my log has changed since then so I thought it better to post the new one. This errorsafe/winatntivirus is driving me nuts. I have run a few tools, VundoFix, various spware scanners, Bitdefender, window malicious etc as well as my normal scanners, AVG, Spybot and Adaware all to no avail. I do hope you have some help for me as I am at my wits end.

Thank you, log below. All the best.

Les

Logfile of HijackThis v1.99.1
Scan saved at 09:25:29, on 18/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Twain_32\MiniCam\GiGiSrv.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FreeNote\FreeNote.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Breit Technologies\Reminder Buddy\ReminderBuddy.exe
C:\Program Files\Record-Anything\RecordAnything.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\FontExpert\FontExpert.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Megaupload\Mega Manager\MegaManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kas\My Documents\My Received Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Les's Hunt For The Truth - The Nightmare Begins.
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: FoxyTunes Toolbar Helper - {784D8FBC-4165-4D88-90FB-62907ACDD045} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FoxyTunes Toolbar - {1D1901C3-F72A-46f3-9DBB-0AAA0DEEF6DF} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [GiGiSrv] C:\WINDOWS\Twain_32\MiniCam\GiGiSrv.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\HELP\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeNote] C:\Program Files\FreeNote\FreeNote.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [XP Tools] C:\Program Files\XP Tools\xptools.exe /min
O4 - Startup: ReminderBuddy.lnk = C:\Program Files\Breit Technologies\Reminder Buddy\ReminderBuddy.exe
O4 - Startup: Record-Anything.lnk = C:\Program Files\Record-Anything\RecordAnything.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: Ashampoo Magical Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.winnanny.com
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1144064095999
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148145794264
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#3 Linkmaster

Linkmaster

    HJT Team Member


  • Members
  • 152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:10:53 PM

Posted 18 January 2007 - 12:21 PM

Hi Lucidles, Welcome to Bleeping Computer !!
Sorry for the delay in reviewing your post
(I merged your posts as well)

You may wish to print out a copy of these instructions to follow while you complete this procedure

I need you to download some programs to aide in our fix :Do Not Run Them Yet

Download ATF (Atribune Temp File) Cleaner© by Atribune

Download ComboFix to your Desktop

Download and Install AVG Anti-Spyware© by Grisoft

Launch AVG Anti-Spyware, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update AVG Anti-Spyware to the latest definition files.
On the main screen select the icon Update then select the Update now link
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Close AVG Anti-Spyware

Reboot to Safe mode
Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Make sure you have Disconnected from the Internet !

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Double click on combofix.exe
Follow the prompts

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall
When finished, it will produce a log for you

Run AVG Anti-Spyware
Click on Scanner at top
Click on Settings
Once in the Settings screen click on Recommended actions and then select Quarantine
Under Reports, Select Automatically generate report after every scan
Un-Select Only if threats were found
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time
Once the scan is complete do the following :
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware

Reboot to Normal Mode

Run Kaspersky WebScanner
Click on Kaspersky Online Scanner
NOTE For Internet Explorer 7 Users : If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading t he latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:
Select My Computer

Then the program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Reboot

Post a fresh HijackThis Log, the ComboFix log, the AVG Anti-Spyware Log, and the Kaspersky Virus Scan Log here
(You may need to use several replies as the logs may be cut off)

Thank you !
Linkmaster
If I can't find it, it doesn't exist !!

UNITE Member

#4 Lucidles

Lucidles
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 19 January 2007 - 12:54 PM

Hi Linkmaster

Thanks for your reply. I will follow your instructions although I must admit i've done it all once already, lol. The logs will be out of date anyway as I've tried numerous thngs to shift this bloody thing. As I say will follow your instuctions to the letter and will post as soon as done. Once more thanks a million for replying.

Les

#5 Linkmaster

Linkmaster

    HJT Team Member


  • Members
  • 152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:10:53 PM

Posted 20 January 2007 - 07:54 AM

OK, no problem ! You are Welcome !
Linkmaster
If I can't find it, it doesn't exist !!

UNITE Member

#6 Lucidles

Lucidles
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 20 January 2007 - 10:36 AM

Hi Linkmaster

Thanks for your reply. I have done all the scans you asked for. The AVG one I could not for the life of me work out how to save the results as a txt file so I have took a screen shot of the results, pic below. All other scans and hijackthislog follow. I hope you can work it out from them as I have had 6 popups just posting this, grrrr, lol. Ok so here we go....


Posted Image

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 18, 2007 3:11:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/01/2007
Kaspersky Anti-Virus database records: 259325
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 204716
Number of viruses found: 4
Number of infected objects: 11 / 0
Number of suspicious objects: 0
Duration of the scan process: 03:11:53

Infected Object Name / Virus Name / Last Action
C:\Program Files\Yahoo!\Messenger\logs\billing_Kas.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\GIPS.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\YSIP.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\YSDP.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\p2pce.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Kas.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Kas.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\voice.log Object is locked skipped
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\log\log.txt Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5501.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\Temp\Cookies\index.dat Object is locked skipped
C:\WINDOWS\Temp\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{56EE1B99-E0DF-49BB-8243-C9E9636C2224}.bin Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kas\Local Settings\Temp\Perflib_Perfdata_9bc.dat Object is locked skipped
C:\Documents and Settings\Kas\Local Settings\History\History.IE5\MSHist012007011820070119\index.dat Object is locked skipped
C:\Documents and Settings\Kas\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kas\Local Settings\Temporary Internet Files\Content.IE5\WI4GCO3C\installdrivecleanerstart[1].cab/UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.m skipped
C:\Documents and Settings\Kas\Local Settings\Temporary Internet Files\Content.IE5\WI4GCO3C\installdrivecleanerstart[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\Kas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kas\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kas\My Documents\My Received Files\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Kas\My Documents\My Received Files\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Kas\My Documents\My Received Files\Scrap.rar/XP Smoker Pro 5.0/XP Smoker Pro 5.0.exe/Stream/data0040 Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
C:\Documents and Settings\Kas\My Documents\My Received Files\Scrap.rar/XP Smoker Pro 5.0/XP Smoker Pro 5.0.exe/Stream Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
C:\Documents and Settings\Kas\My Documents\My Received Files\Scrap.rar/XP Smoker Pro 5.0/XP Smoker Pro 5.0.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
C:\Documents and Settings\Kas\My Documents\My Received Files\Scrap.rar/Morgans.zip/Morgans/Record-AnythingÖ 2.94 Mini Recorder - recorder mp3 radio stream voice music sound card systray/recordanythingfull.exe Infected: not-a-virus:Monitor.Win32.Ardamax.k skipped
C:\Documents and Settings\Kas\My Documents\My Received Files\Scrap.rar/Morgans.zip Infected: not-a-virus:Monitor.Win32.Ardamax.k skipped
C:\Documents and Settings\Kas\My Documents\My Received Files\Scrap.rar RAR: infected - 5 skipped
C:\Documents and Settings\Kas\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kas\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kas\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{C8599CFB-5F52-4200-95F0-FB348ADC65B9}\RP351\change.log Object is locked skipped
E:\Record-Anything™ 2.94 Mini Recorder - recorder mp3 radio stream voice music sound card systray\recordanythingfull.exe Infected: not-a-virus:Monitor.Win32.Ardamax.k skipped

Scan process completed.

#7 Lucidles

Lucidles
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 20 January 2007 - 10:38 AM

"Kas" - 07-01-20 9:32:51 Service Pack 2
ComboFix 07-01-18 - Running from: "C:\Documents and Settings\Kas\My Documents\My Received Files"

((((((((((((((((((((((((((((((( Files Created from 2006-12-20 to 2007-01-20 ))))))))))))))))))))))))))))))))))


2007-01-18 17:51 <DIR> d-------- C:\movies
2007-01-18 11:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-01-17 14:22 <DIR> d-------- C:\DOCUME~1\Kas\Application Data\FontExpert
2007-01-17 13:08 <DIR> d-------- C:\Program Files\FontExpert
2007-01-17 09:03 2 --a------ C:\WINDOWS\v10neformatic.sys
2007-01-16 04:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-01-15 18:15 <DIR> d-------- C:\Program Files\Microangelo Toolset 6
2007-01-15 12:27 53,248 --a------ C:\WINDOWS\system32\dcfft2.dll
2007-01-15 12:27 40,960 --a------ C:\WINDOWS\system32\DolbyHphMM.dll
2007-01-15 12:27 233,472 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-01-15 12:26 80,384 --a------ C:\WINDOWS\system32\MMDVDROM.dll
2007-01-15 12:26 7,196 --a------ C:\WINDOWS\system32\drivers\V7.SYS
2007-01-15 12:26 64,000 --a------ C:\WINDOWS\system32\macrovsn.dll
2007-01-15 12:26 4,096 --a------ C:\WINDOWS\system32\getregn.exe
2007-01-15 12:26 207,872 --a------ C:\WINDOWS\system32\DVDRGCTL.dll
2007-01-15 12:26 193,536 --a------ C:\WINDOWS\system32\AllNode.DLL
2007-01-15 12:26 167,936 --a------ C:\WINDOWS\system32\Mmac3.dll
2007-01-15 12:26 <DIR> d-------- C:\Program Files\Mediamatics
2007-01-15 12:25 98,304 --a------ C:\WINDOWS\system32\DMO_SRS_WOWXT.dll
2007-01-15 12:25 84,480 --a------ C:\WINDOWS\system32\MMCapWin.dll
2007-01-15 12:25 584,192 --a------ C:\WINDOWS\system32\AdaptX30.dll
2007-01-15 12:25 46,080 --a------ C:\WINDOWS\system32\ac3encode.dll
2007-01-15 12:25 43,008 --a------ C:\WINDOWS\system32\KillUserBp.dll
2007-01-15 12:25 360,448 --a------ C:\WINDOWS\system32\erdmpg-lo.dll
2007-01-15 12:25 270,336 --a------ C:\WINDOWS\system32\WMVCreator.dll
2007-01-15 12:25 167,936 --a------ C:\WINDOWS\system32\ComCSDecoder.dll
2007-01-15 12:25 147,456 --a------ C:\WINDOWS\system32\AVICreator.dll
2007-01-15 12:25 143,360 --a------ C:\WINDOWS\system32\SpatializerDMO.dll
2007-01-15 12:25 143,360 --a------ C:\WINDOWS\system32\DMO_TSXT.dll
2007-01-15 12:25 143,360 --a------ C:\WINDOWS\system32\ComTruSurroundXT.dll
2007-01-15 12:25 135,168 --a------ C:\WINDOWS\system32\MPEGCreator.dll
2007-01-15 12:25 135,168 --a------ C:\WINDOWS\system32\COM_SRS_WOWXT.dll
2007-01-15 12:25 102,400 --a------ C:\WINDOWS\system32\DMO_CSDecode.dll
2007-01-15 12:25 1,537,536 --a------ C:\WINDOWS\system32\erdmpg-hi.dll
2007-01-15 12:25 <DIR> d-------- C:\Program Files\Orion Studios HD
2007-01-14 11:38 <DIR> d-------- C:\Notepad
2007-01-14 09:59 <DIR> d-------- C:\WINDOWS\Splash Screens
2007-01-14 09:37 <DIR> d-------- C:\!KillBox
2007-01-14 02:05 <DIR> d-------- C:\VundoFix Backups
2007-01-12 12:37 <DIR> d-------- C:\Program Files\ProxyFinderPro
2007-01-12 08:42 <DIR> d-------- C:\Program Files\MAXON
2007-01-12 08:24 92,160 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-01-12 08:24 <DIR> d-------- C:\Program Files\MagicDisc
2007-01-12 07:46 <DIR> d-------- C:\Program Files\Gloodle
2007-01-11 15:09 <DIR> d-------- C:\Downloads
2007-01-11 14:40 <DIR> d-------- C:\Program Files\NewzToolz-EZ
2007-01-11 13:56 <DIR> d-------- C:\Program Files\MessengerSkinner
2007-01-11 13:56 <DIR> d-------- C:\DOCUME~1\Kas\Application Data\MessengerSkinner
2007-01-11 13:55 275,968 --a------ C:\WINDOWS\system32\axlbnkxlio.exe
2007-01-10 06:31 897,536 --a------ C:\WINDOWS\wweb32.dll
2007-01-10 06:31 <DIR> d-------- C:\Program Files\WordWeb
2007-01-10 01:07 147,456 --a------ C:\WINDOWS\AVUNTOOL.EXE
2007-01-09 22:28 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-08 00:13 89,088 --a------ C:\WINDOWS\system32\Shreder.dll
2007-01-08 00:13 613,376 --a------ C:\WINDOWS\system32\context.dll
2007-01-08 00:13 6,144 --a------ C:\WINDOWS\system32\SuperRes.dll
2007-01-08 00:13 44,480 --a------ C:\WINDOWS\system32\drivers\HWFProt.sys
2007-01-08 00:13 216,064 --a------ C:\WINDOWS\system32\xtsupermenuHook.dll
2007-01-08 00:13 <DIR> d-------- C:\Program Files\XP Tools
2007-01-07 20:04 53,248 --a------ C:\WINDOWS\system32\SSubTmr6.dll
2007-01-07 20:04 35,490 --a------ C:\WINDOWS\system32\tcpipbak.reg
2007-01-07 20:04 32,768 --a------ C:\WINDOWS\system32\ServiceRepair.exe
2007-01-07 20:04 2,039,007 --a------ C:\WINDOWS\system32\ie-ads-uninst.reg
2007-01-07 20:04 114,071 --a------ C:\WINDOWS\system32\adult-uninst.reg
2007-01-07 20:04 <DIR> d-------- C:\Program Files\XP Smoker
2007-01-07 18:05 <DIR> d-------- C:\Program Files\Mgtweak
2007-01-02 08:36 <DIR> d-------- C:\ic_temp
2007-01-01 09:44 6,144 -ra------ C:\WINDOWS\system32\kbdinpun.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdvntc.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdurdu.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdsyr2.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdsyr1.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdintel.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdintam.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdinmar.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdinkan.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdinhin.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdinguj.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdindev.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdheb.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbdfa.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbddiv2.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbddiv1.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbda3.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbda2.dll
2007-01-01 09:44 5,632 -ra------ C:\WINDOWS\system32\kbda1.dll
2007-01-01 09:44 5,632 --a------ C:\WINDOWS\system32\kbdusa.dll
2007-01-01 09:44 5,120 -ra------ C:\WINDOWS\system32\kbdgeo.dll
2007-01-01 09:44 5,120 -ra------ C:\WINDOWS\system32\kbdarmw.dll
2007-01-01 09:44 5,120 -ra------ C:\WINDOWS\system32\kbdarme.dll
2007-01-01 09:44 185,344 --a------ C:\WINDOWS\system32\Thawbrkr.dll
2007-01-01 09:44 10,752 --a------ C:\WINDOWS\system32\c_iscii.dll
2007-01-01 09:43 6,144 -ra------ C:\WINDOWS\system32\kbdth3.dll
2007-01-01 09:43 6,144 -ra------ C:\WINDOWS\system32\kbdth2.dll
2007-01-01 09:43 6,144 --a------ C:\WINDOWS\system32\ftlx041e.dll
2007-01-01 09:43 5,632 -ra------ C:\WINDOWS\system32\kbdth1.dll
2007-01-01 09:43 5,632 -ra------ C:\WINDOWS\system32\kbdth0.dll
2006-12-31 04:40 <DIR> d-------- C:\Program Files\SiSoftware
2006-12-29 22:51 <DIR> d-------- C:\WINDOWS\system32\Quicktime
2006-12-29 17:29 <DIR> d-------- C:\Program Files\NewsBin
2006-12-29 17:29 <DIR> d-------- C:\DOCUME~1\Kas\Application Data\Newsbin
2006-12-28 15:19 <DIR> d-------- C:\Program Files\Common Files\Xara
2006-12-27 15:15 <DIR> d-------- C:\Program Files\AviSynth 2.5
2006-12-27 15:10 <DIR> d-------- C:\Program Files\Real Alternative
2006-12-27 15:10 <DIR> d-------- C:\Program Files\Media Player Classic
2006-12-27 15:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Real
2006-12-25 22:10 <DIR> d-------- C:\DOCUME~1\Kas\Application Data\Real
2006-12-25 11:39 77,824 --a------ C:\WINDOWS\system32\nmapwin.exe
2006-12-25 11:39 561,179 --a------ C:\WINDOWS\system32\dao360.dll
2006-12-25 11:39 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2006-12-25 11:39 452,096 --a------ C:\WINDOWS\system32\nmap.exe
2006-12-25 11:39 299,008 --a------ C:\WINDOWS\system32\MSDBRPTR.DLL
2006-12-25 11:39 290,816 --a------ C:\WINDOWS\system32\nmapserv.exe
2006-12-25 11:39 192 --a------ C:\WINDOWS\system32\nmap_performance.reg
2006-12-25 11:39 137,216 --a------ C:\WINDOWS\system32\MSDERUN.DLL
2006-12-25 11:39 114,688 --a------ C:\WINDOWS\system32\CCGNU32.dll
2006-12-25 11:39 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2006-12-25 11:39 <DIR> d-------- C:\Program Files\Net Tools
2006-12-24 21:04 <DIR> d-------- C:\Program Files\Common Files\xing shared
2006-12-23 23:46 2 --a------ C:\WINDOWS\v10neformatic.dll
2006-12-23 23:45 <DIR> d-------- C:\Program Files\Pic2Ico
2006-12-20 10:48 <DIR> d-------- C:\DOCUME~1\Kas\Shared
2006-12-20 10:29 <DIR> d-------- C:\DOCUME~1\Kas\Application Data\MP3Rocket
2006-12-20 03:54 <DIR> d-------- C:\Program Files\FoxyTunes
2006-12-20 03:54 <DIR> d-------- C:\DOCUME~1\Kas\Application Data\FoxyTunes
2006-12-20 00:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2006-12-20 00:35 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-20 09:21 651 --a------ C:\DOCUME~1\Kas\Application Data\atomicalarmclock.ini
2007-01-20 09:00 510 --a------ C:\DOCUME~1\Kas\Application Data\alarms.ini
2007-01-20 02:26 8422 --a------ C:\DOCUME~1\Kas\Application Data\freenote.ini
2007-01-11 15:09 2560 --a------ C:\WINDOWS\system32\bitcometres.dll
2006-12-26 00:12 377 --a------ C:\Program Files\shortcut to cucusoft.lnk
2006-12-20 03:54 32 --a------ C:\DOCUME~1\Kas\Application Data\settings.ini
2006-12-18 07:08 -------- d-------- C:\Program Files\dna
2006-12-17 07:53 -------- d-------- C:\Program Files\zzz technologies
2006-12-17 04:58 -------- d-------- C:\Program Files\riva
2006-12-16 09:14 -------- d-------- C:\Program Files\pinnacle
2006-12-15 20:50 -------- d-------- C:\Program Files\Common Files\swf studio
2006-12-15 18:11 -------- d-------- C:\Program Files\flvplayer
2006-12-15 09:42 -------- d-------- C:\Program Files\belltech label maker
2006-12-14 06:03 34 --a------ C:\DOCUME~1\Kas\Application Data\pcouffin.log
2006-12-14 06:02 87608 --a------ C:\DOCUME~1\Kas\Application Data\ezpinst.exe
2006-12-14 06:02 7824 --a------ C:\DOCUME~1\Kas\Application Data\pcouffin.cat
2006-12-14 06:02 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2006-12-14 06:02 47360 --a------ C:\DOCUME~1\Kas\Application Data\pcouffin.sys
2006-12-14 06:02 1144 --a------ C:\DOCUME~1\Kas\Application Data\pcouffin.inf
2006-12-14 06:02 -------- d-------- C:\DOCUME~1\Kas\Application Data\vso
2006-12-13 21:16 -------- d-------- C:\Program Files\photofiltre
2006-12-12 23:17 49152 --a------ C:\WINDOWS\system32\registrationlib193.dll
2006-12-10 01:05 -------- d-------- C:\Program Files\allume systems
2006-12-07 11:42 -------- d-------- C:\Program Files\Common Files\macromedia shared
2006-12-05 06:35 8 -r-hs---- C:\WINDOWS\system32\fgxp8.dll
2006-12-01 13:18 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-01 13:08 -------- d-------- C:\Program Files\dart karaoke studio cdg
2006-11-29 18:32 -------- d-------- C:\Program Files\animated gif producer 3.1 trial
2006-11-27 07:05 -------- d-------- C:\Program Files\windows media components
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SkinClock"="C:\\Program Files\\Atomic Alarm Clock\\AtomicAlarmClock.exe"
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"FreeNote"="C:\\Program Files\\FreeNote\\FreeNote.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"XP Tools"="C:\\Program Files\\XP Tools\\xptools.exe /min"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"GiGiSrv"="C:\\WINDOWS\\Twain_32\\MiniCam\\GiGiSrv.exe"
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SCDEmuApp.exe"="C:\\Program Files\\PowerISO\\SCDEmuApp.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\BTBROA~2\\HELP\\SMARTB~1\\BTHelpNotifier.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"axlbnkxlio"="c:\\windows\\system32\\axlbnkxlio.exe axlbnkxlio"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{40847941-2F5E-4BEB-802C-74849B8BA2E4}"="ahdp"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ file:///C:/DOCUMENTS AND SETTINGS/KAS/MY DOCUMENTS/My Pictures/fish.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-20 9:37:22
C:\ComboFix2.txt ... 07-01-14 10:12

#8 Lucidles

Lucidles
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 20 January 2007 - 10:39 AM

Logfile of HijackThis v1.99.1
Scan saved at 15:23:59, on 20/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Twain_32\MiniCam\GiGiSrv.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FreeNote\FreeNote.exe
C:\Program Files\XP Tools\xptools.exe
C:\Program Files\XP Tools\xptools.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
C:\Program Files\Breit Technologies\Reminder Buddy\ReminderBuddy.exe
C:\Program Files\Record-Anything\RecordAnything.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Kas\My Documents\My Received Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Les's Hunt For The Truth - The Nightmare Begins.
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: FoxyTunes Toolbar Helper - {784D8FBC-4165-4D88-90FB-62907ACDD045} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FoxyTunes Toolbar - {1D1901C3-F72A-46f3-9DBB-0AAA0DEEF6DF} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O4 - HKLM\..\Run: [GiGiSrv] C:\WINDOWS\Twain_32\MiniCam\GiGiSrv.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\HELP\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeNote] C:\Program Files\FreeNote\FreeNote.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [XP Tools] C:\Program Files\XP Tools\xptools.exe /min
O4 - Startup: ReminderBuddy.lnk = C:\Program Files\Breit Technologies\Reminder Buddy\ReminderBuddy.exe
O4 - Startup: Record-Anything.lnk = C:\Program Files\Record-Anything\RecordAnything.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: Ashampoo Magical Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.winnanny.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1144064095999
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148145794264
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#9 Lucidles

Lucidles
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 20 January 2007 - 10:41 AM

Ok that's it. Thanks for all your help on this. I'm at my wits end and can't wait to get rid of the bloody thing. I wish you well.

All the best

Les

#10 Linkmaster

Linkmaster

    HJT Team Member


  • Members
  • 152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:10:53 PM

Posted 20 January 2007 - 02:55 PM

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
Additional information on the safety of Peer to Peer programs themselves is here :

Clean/Infected P2P Programs

Go to Start, Control Panel, Add/Remove Programs and Uninstall the following : (if present)

XP Smoker Pro 5.0
Record-Anything™ 2.94 Mini Recorder
NewzToolz-EZ
Mgtweak

(these are cracked versions and could be contributing to your problem)

Do Not reboot if it asks

When finished uninstalling close Control Panel

Open Windows Explorer, locate and Delete the following folders or files in RED : (if present)

C:\Program Files\NewzToolz-EZ
C:\WINDOWS\system32\adult-uninst.reg
C:\Program Files\XP Smoker
C:\Program Files\Mgtweak
C:\Documents and Settings\Kas\My Documents\My Received Files\Scrap.rar

Empty your Recycle Bin

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

O15 - Trusted Zone: http://*.winnanny.com

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked
Close HijackThis

Right click on DelDomains© by WinHelp2002
Select Save target as (IE) or Save Link as (Firefox)
Save it to your desktop
Right click on DelDomains.inf and select Install (no need to restart)

Post a fresh HijackThis log here and let me know how your system is running now ??
Linkmaster
If I can't find it, it doesn't exist !!

UNITE Member

#11 Lucidles

Lucidles
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 21 January 2007 - 07:32 AM

Hi Linkmaster

Yes I realise it was probably one of the ones you pointed out. I usually avoid anything with an exe file but I'm a sucker for utilities. The stupid thing is most of them never make the grade and I uninstall them. Rest assured I'll count this as a lesson. Thanks a lot and I'll go do what you've said.

All the best

Les

#12 Linkmaster

Linkmaster

    HJT Team Member


  • Members
  • 152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:10:53 PM

Posted 21 January 2007 - 07:35 AM

Let me know how your system is ??
Linkmaster
If I can't find it, it doesn't exist !!

UNITE Member

#13 Lucidles

Lucidles
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 23 January 2007 - 11:50 AM

:thumbsup: No go I'm afraid Linkmaster. I've still got Drivecleaner, winantivirus, and others trying to install plus multiple popups for products. No porn sites I'm glad to say. Up to now that is, touch wood. I have followed your instructions and the new log is below. I much appreciate the time you are spending on this. My stupidity doesn't deserve such kindness. Thank you.

Les


Logfile of HijackThis v1.99.1
Scan saved at 15:51:49, on 23/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Twain_32\MiniCam\GiGiSrv.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FreeNote\FreeNote.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\XP Tools\xptools.exe
C:\Program Files\XP Tools\xptools.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
C:\Program Files\Breit Technologies\Reminder Buddy\ReminderBuddy.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Documents and Settings\Kas\My Documents\My Received Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Les's Hunt For The Truth - The Nightmare Begins.
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: FoxyTunes Toolbar Helper - {784D8FBC-4165-4D88-90FB-62907ACDD045} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FoxyTunes Toolbar - {1D1901C3-F72A-46f3-9DBB-0AAA0DEEF6DF} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O4 - HKLM\..\Run: [GiGiSrv] C:\WINDOWS\Twain_32\MiniCam\GiGiSrv.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\HELP\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeNote] C:\Program Files\FreeNote\FreeNote.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [XP Tools] C:\Program Files\XP Tools\xptools.exe /min
O4 - Startup: ReminderBuddy.lnk = C:\Program Files\Breit Technologies\Reminder Buddy\ReminderBuddy.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: Ashampoo Magical Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1144064095999
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148145794264
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#14 Linkmaster

Linkmaster

    HJT Team Member


  • Members
  • 152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:10:53 PM

Posted 23 January 2007 - 12:05 PM

No problem !!

OK, lets try a couple of things here :

Download VundoFix.exe© by Atribune to your desktop.

Download SmitfraudFix© by S!Ri to your Desktop.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press Enter
IMPORTANT: DO NOT run any other options until you are asked to do so!
This program will scan large amounts of files on your computer for known patterns so please be patient while it works
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you

When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

Run VundoFix
Double-click VundoFix.exe
Click the Scan for Vundo button.
When it finishes scanning, Click the Remove Vundo button
You will receive a prompt asking if you want to "remove the files", click YES
Once you click yes, your desktop will go blank as it starts removing Vundo
When completed, it will prompt that it will reboot your computer, click OK
The .txt file will be in C:\Vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot

Post a fresh HijackThis log, the contents of the rapport.txt file and the vundofix.txt file here
Linkmaster
If I can't find it, it doesn't exist !!

UNITE Member

#15 Lucidles

Lucidles
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 24 January 2007 - 02:11 AM

Hi Linkmaster

Ok I have run the programs stated. I hope I have done things right as when I ran smitfraudfix it only tok a matter of seconds to run before producing the text file. I did run it twice to make sure but the same result I'm afraid. :thumbsup: Now Vundo did take a while so maybe I got it mixed up. Thanks anyway. I wil put the smitfraud log here and post the others in the following replies I hope it tells you something, it means nothing to me, lol. I'm sure it will. Once again thanks for all your help.

Les

SmitFraudFix v2.133

Scan done at 6:22:15.01, 24/01/2007
Run from C:\Documents and Settings\Kas\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kas


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kas\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KAS\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUMENTS AND SETTINGS/KAS/MY DOCUMENTS/My Pictures/fish.jpg"
"SubscribedURL"="file:///C:/DOCUMENTS AND SETTINGS/KAS/MY DOCUMENTS/My Pictures/fish.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users