Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Toolbar 888


  • Please log in to reply
19 replies to this topic

#1 Alya

Alya

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 24 January 2007 - 01:11 AM

Hey,

I have quite a few viruses on my computer and I have no idea of how to get rid of them, I think the main one is toolbar 888. I'll post a hijackthis log at the end of my post for anyone who can give me a hand. Thanks.
-Alya




Logfile of HijackThis v1.99.1
Scan saved at 5:04:10 PM, on 24/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Vet\ISafe.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Vet\CAVRID.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {80C4441B-7735-055D-A062-AB06B667F788} - C:\DOCUME~1\Sarah\APPLIC~1\ADMINH~1\Inter Ball.exe (file missing)
O2 - BHO: (no name) - {FF5AE159-A7A9-4587-9033-AF1000A85F42} - C:\WINDOWS\system32\ddccd.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO}
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [3F6A5C59] C:\WINDOWS\System32\kqvucmbirhkcd.exe
O4 - HKLM\..\Run: [MicrosoftOEM] C:\WINDOWS\System32\smrss.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\Run: [joplioqnotvat] C:\WINDOWS\System32\figpadj.exe
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Vet\CAVRID.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [243F0B97] C:\WINDOWS\System32\kqvucmbirhkcd.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [MSN MESSENGER] msmmsgr.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlanDefault] C:\DOCUME~1\Sarah\APPLIC~1\TRANSR~1\uploadtick.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://D:\HD\nskey.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140744283656
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CC61A39-2B81-496B-B301-14BC2F6C222B}: NameServer = 203.49.70.20 139.134.2.190
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddccd - C:\WINDOWS\system32\ddccd.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Vet\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Vet\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 24 January 2007 - 10:21 AM

Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
Double-click VundoFix.exe to run it.
click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
=========================

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
==================

Download Superantispyware

http://www.superantispyware.com/superantis...efreevspro.html

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.
Please paste that information here for me with a new HijackThis log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 Alya

Alya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 25 January 2007 - 10:40 PM

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.3

Scan started at 6:55:22 PM 25/01/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddccd.dll

Beginning removal...

Performing Repairs to the registry.
Done!





"Sarah" - 07-01-26 11:58:23 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Sarah\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\INSTALL.LOG
C:\DOCUME~1\SARAH\Application Data\SearchToolbarCorp
C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-12-26 to 2007-01-26 ))))))))))))))))))))))))))))))))))


2007-01-23 13:05 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-01-23 13:04 <DIR> d-------- C:\Program Files\World of Warcraft
2007-01-22 18:00 <DIR> d-------- C:\Program Files\Firaxis Games
2007-01-22 17:52 <DIR> d-------- C:\Program Files\Maxis
2007-01-22 14:52 <DIR> d-------- C:\DOCUME~1\Sarah\Application Data\ArcSoft
2007-01-22 12:21 <DIR> d-------- C:\Program Files\QuickTime
2007-01-22 11:54 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2007-01-22 11:54 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-01-22 11:54 <DIR> d-------- C:\Program Files\SanDisk
2007-01-22 11:54 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-01-12 15:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-12 15:11 <DIR> d-------- C:\Program Files\Grisoft
2007-01-11 14:08 <DIR> d-------- C:\VundoFix Backups
2007-01-11 14:00 <DIR> d-------- C:\Program Files\Hijackthis
2007-01-10 16:15 <DIR> d-------- C:\Program Files\XoftSpySE
2007-01-10 15:10 <DIR> d-------- C:\DOCUME~1\Sarah\Application Data\Google
2007-01-08 21:38 <DIR> d-------- C:\Program Files\Google
2007-01-08 21:38 <DIR> d-------- C:\DOCUME~1\USER\Application Data\Google
2007-01-08 21:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Google
2006-12-29 18:23 <DIR> d-------- C:\Program Files\WorldPokerTour
2006-12-29 18:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\WorldPokerTour
2006-12-26 10:18 <DIR> d-------- C:\Program Files\MP3 Player Utilities 3.75


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-26 08:46 753 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-01-23 13:22 75280 --a------ C:\WINDOWS\system32\isafprod.dll
2007-01-23 13:22 32528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-01-23 13:22 26640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-01-23 13:22 21648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-01-23 13:22 21392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2006-12-18 14:14 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-12-18 14:03 -------- d-------- C:\Program Files\activision
2006-12-17 15:18 -------- d-------- C:\Program Files\enigma software group
2006-12-14 10:30 -------- d-------- C:\Program Files\freshdevices
2006-12-11 22:08 126996 --a------ C:\WINDOWS\system32\xelitllg.dll
2006-12-08 18:19 126996 --a------ C:\WINDOWS\system32\mnhfqqld.dll
2006-12-07 16:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-04 21:09 126996 --a------ C:\WINDOWS\system32\emipuasb.dll
2006-12-04 14:43 629216 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2006-12-04 14:43 108544 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2006-12-04 14:42 95760 --a------ C:\WINDOWS\system32\isafeif.dll
2006-12-02 21:33 126996 --a------ C:\WINDOWS\system32\ynpcrfiy.dll
2006-12-02 21:31 88340 --a------ C:\WINDOWS\system32\snoywfrs.exe
2006-11-29 13:59 88340 --a------ C:\WINDOWS\system32\dangfclg.exe
2006-11-27 19:45 60416 --------- C:\WINDOWS\system32\tzchange.exe
2006-11-26 19:59 126996 --a------ C:\WINDOWS\system32\aoxecqix.dll
2006-11-24 18:33 38420 --a------ C:\WINDOWS\system32\tnjfutrk.dll
2006-11-22 09:26 126996 --a------ C:\WINDOWS\system32\kupbfnyt.dll
2006-11-19 19:58 126996 --a------ C:\WINDOWS\system32\pvbxkmja.dll
2006-11-19 09:07 126996 --a------ C:\WINDOWS\system32\kdiijxif.dll
2006-11-13 09:52 110612 --a------ C:\WINDOWS\system32\rvljjjyx.exe
2006-11-12 09:32 110612 --a------ C:\WINDOWS\system32\qifpochi.exe
2006-11-10 20:57 110612 --a------ C:\WINDOWS\system32\irwhcpmj.exe
2006-11-09 20:57 110612 --a------ C:\WINDOWS\system32\iqsanngk.exe
2006-11-08 20:56 110612 --a------ C:\WINDOWS\system32\hevayogf.exe
2006-11-08 16:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 19:49 110612 --a------ C:\WINDOWS\system32\jedlrgnv.exe
2006-11-06 19:48 110612 --a------ C:\WINDOWS\system32\qmuabbrl.exe
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 19:03 110612 --a------ C:\WINDOWS\system32\lwxyajpx.exe
2006-11-02 17:05 110612 --a------ C:\WINDOWS\system32\isvtydjh.exe
2006-10-31 09:48 110612 --a------ C:\WINDOWS\system32\jsbdfwnh.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"="MIDIDef.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PlanDefault"="C:\\DOCUME~1\\Sarah\\APPLIC~1\\TRANSR~1\\uploadtick.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"="C:\\WINDOWS\\system32\\Macromed\\Flash\\GetFlash.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"EM_EXEC"="C:\\PROGRA~1\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"SiS KHooker"="C:\\WINDOWS\\System32\\khooker.exe"
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"DevconDefaultDB"="C:\\WINDOWS\\READREG /PSCONV={NO}"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"rb32 ml710e"="\"C:\\Program Files\\RapidBlaster\\rb32.exe\""
"3F6A5C59"="C:\\WINDOWS\\System32\\kqvucmbirhkcd.exe"
"MicrosoftOEM"="C:\\WINDOWS\\System32\\smrss.exe"
"Microsoft Config 32bit"="mscnfg32.exe"
"joplioqnotvat"="C:\\WINDOWS\\System32\\figpadj.exe"
"BlockChecker"="C:\\Program Files\\Block Checker\\block-checker.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpyHunter"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
"CAVRID"="\"C:\\Vet\\CAVRID.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"243F0B97"="C:\\WINDOWS\\System32\\kqvucmbirhkcd.exe"
"Microsoft Config 32bit"="mscnfg32.exe"
"MSN MESSENGER"="msmmsgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{fe288882-f661-4522-88f3-20cfb7866fa4}"="gutturalness"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"Microsoft Config 32bit"="mscnfg32.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"Microsoft Config 32bit"="mscnfg32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ISHOST.EXE"="ISHOST.EXE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccd

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AC9D20D09192D330.job
C:\WINDOWS\tasks\AC57137491888614.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 07-01-26 12:05:09




SUPERAntiSpyware Scan Log
Generated 01/26/2007 at 02:15 PM

Application Version : 3.5.1016

Core Rules Database Version : 3173
Trace Rules Database Version: 1183

Scan type : Complete Scan
Total Scan Time : 00:58:20

Memory items scanned : 387
Memory threats detected : 0
Registry items scanned : 5559
Registry threats detected : 50
File items scanned : 55245
File threats detected : 50

Adware.Tracking Cookie
C:\Documents and Settings\Sarah\Cookies\sarah@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@mb[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@fastclick[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@sixapart.adbureau[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@doubleclick[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@www.ez-tracks[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@cgi-bin[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@ads.pointroll[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@burstnet[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@www.scripttrack433[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@revsci[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@overture[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@www.belstat[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@ez-tracks[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@bs.serving-sys[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@serving-sys[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@ad.yieldmanager[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@adbrite[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@www.burstnet[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@eztracks.aavalue[1].txt
C:\Documents and Settings\USER\Cookies\user@ad.yieldmanager[1].txt

Unclassified.Unknown Origin
HKCR\CLSID\{1DAEFCB9-06C8-47C6-8F20-3FB54B244DAA}
HKCR\CLSID\{1DAEFCB9-06C8-47C6-8F20-3FB54B244DAA}\InprocServer32
HKCR\CLSID\{1DAEFCB9-06C8-47C6-8F20-3FB54B244DAA}\InprocServer32#ThreadingModel

Adware.WhenU
HKCR\ACM.ACMFactory
HKCR\ACM.ACMFactory\CLSID
HKCR\ACM.ACMFactory\CurVer
HKCR\ACM.ACMFactory.1
HKCR\ACM.ACMFactory.1\CLSID
HKCR\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}
HKCR\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\ProxyStubClsid
HKCR\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\ProxyStubClsid32
HKCR\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\TypeLib
HKCR\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\TypeLib#Version
HKCR\AppId\{127DF9B4-D75D-44A6-AF78-8C3A8CEB03DB}
HKCR\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}
HKCR\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}#AppID
HKCR\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}\InprocServer32
HKCR\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}\InprocServer32#ThreadingModel
HKCR\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}\ProgID
HKCR\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}\Programmable
HKCR\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}\TypeLib
HKCR\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}\VersionIndependentProgID
HKCR\AppId\ACM.DLL
HKCR\AppId\ACM.DLL#AppID
HKCR\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}
HKCR\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}\1.0
HKCR\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}\1.0\0
HKCR\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}\1.0\0\win32
HKCR\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}\1.0\FLAGS
HKCR\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}\1.0\HELPDIR
HKCR\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}
HKCR\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\ProxyStubClsid
HKCR\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\ProxyStubClsid32
HKCR\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\TypeLib
HKCR\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\TypeLib#Version
HKCR\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}
HKCR\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\ProxyStubClsid
HKCR\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\ProxyStubClsid32
HKCR\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\TypeLib
HKCR\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\TypeLib#Version
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP731\A0247368.EXE

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PID
HKLM\SOFTWARE\Microsoft\MSSMGR#Rid
HKLM\SOFTWARE\Microsoft\MSSMGR#LID

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Adware.IST/YourSiteBar
C:\WINDOWS\Downloaded Program Files\ysbactivex.inf

Malware.Notifier
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#ishost.exe [ ISHOST.EXE ]

Adware.VSToolbar
HKU\S-1-5-21-2154702590-2346120412-2020711486-1023\Software\Search Toolbar Corp

Trojan.Downloader-SpyTool
C:\WINDOWS\SYSTEM32\KDIIJXIF.DLL
C:\WINDOWS\SYSTEM32\PVBXKMJA.DLL
C:\WINDOWS\SYSTEM32\KUPBFNYT.DLL
C:\WINDOWS\SYSTEM32\AOXECQIX.DLL
C:\WINDOWS\SYSTEM32\MNHFQQLD.DLL
C:\WINDOWS\SYSTEM32\YNPCRFIY.DLL
C:\WINDOWS\SYSTEM32\EMIPUASB.DLL
C:\WINDOWS\SYSTEM32\XELITLLG.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP717\A0242754.DLL

Trojan.Downloader-WNA
C:\WINDOWS\SYSTEM32\TNJFUTRK.DLL

Trojan.Downloader-VSAddIn
C:\WINDOWS\SYSTEM32\JSBDFWNH.EXE
C:\WINDOWS\SYSTEM32\QIFPOCHI.EXE
C:\WINDOWS\SYSTEM32\ISVTYDJH.EXE
C:\WINDOWS\SYSTEM32\LWXYAJPX.EXE
C:\WINDOWS\SYSTEM32\QMUABBRL.EXE
C:\WINDOWS\SYSTEM32\HEVAYOGF.EXE
C:\WINDOWS\SYSTEM32\JEDLRGNV.EXE
C:\WINDOWS\SYSTEM32\RVLJJJYX.EXE
C:\WINDOWS\SYSTEM32\IQSANNGK.EXE
C:\WINDOWS\SYSTEM32\IRWHCPMJ.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP717\A0242753.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP717\A0242776.EXE

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\DALE\FAVORITES\ONLINE SECURITY TEST.URL

Trojan.Flx/Conhook
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP717\A0242791.DLL


thanks for your help so far :thumbsup:

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:17 AM

Posted 26 January 2007 - 11:43 AM

Could you post a new HijackThis log and I'll help you from here on.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 Alya

Alya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 26 January 2007 - 04:32 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:30:05 AM, on 27/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Vet\ISafe.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Vet\CAVRID.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO}
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [3F6A5C59] C:\WINDOWS\System32\kqvucmbirhkcd.exe
O4 - HKLM\..\Run: [MicrosoftOEM] C:\WINDOWS\System32\smrss.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\Run: [joplioqnotvat] C:\WINDOWS\System32\figpadj.exe
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Vet\CAVRID.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [243F0B97] C:\WINDOWS\System32\kqvucmbirhkcd.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [MSN MESSENGER] msmmsgr.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlanDefault] C:\DOCUME~1\Sarah\APPLIC~1\TRANSR~1\uploadtick.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://D:\HD\nskey.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140744283656
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CC61A39-2B81-496B-B301-14BC2F6C222B}: NameServer = 203.49.70.20 139.134.2.190
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Vet\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Vet\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:17 AM

Posted 27 January 2007 - 03:43 AM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [MicrosoftOEM] C:\WINDOWS\System32\smrss.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\Run: [joplioqnotvat] C:\WINDOWS\System32\figpadj.exe
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\RunServices: [243F0B97] C:\WINDOWS\System32\kqvucmbirhkcd.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [MSN MESSENGER] msmmsgr.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -


Exit HijackThis when done. Reboot. Using Windows Explorer, find and delete the following:

C:\Program Files\RapidBlaster <-- folder
C:\WINDOWS\System32\smrss.exe
C:\WINDOWS\System32\figpadj.exe
C:\Program Files\Block Checker <-- folder
C:\WINDOWS\System32\kqvucmbirhkcd.exe

Exit Explorer. Click here to run ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Paste the contents of the Panda scan report along with a new HijackThis Log in your next reply.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 Alya

Alya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 29 January 2007 - 05:10 PM

I fixed the files on hijack this and then when i went to delete them through windows explorer i couldnt find them. is that right?

#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:17 AM

Posted 29 January 2007 - 05:22 PM

Apologies for the delay getting back to you - I have the flu. I'll respond again when I'm back on my feet.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#9 Alya

Alya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 30 January 2007 - 06:25 AM

I hope you get better soon. The flu is horrible.

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:17 AM

Posted 05 February 2007 - 01:14 PM

OK, I'm back again - do you still require assistance?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#11 Alya

Alya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 05 February 2007 - 06:35 PM

Yes please, that would be fantastic :thumbsup:

#12 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:17 AM

Posted 06 February 2007 - 02:20 AM

They may well have been orphan entries which would explain why you couldn't find them. Could you post the results of the Panda scan I requested?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#13 Alya

Alya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 06 February 2007 - 06:37 PM

Incident Status Location

Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\dangfclg.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\snoywfrs.exe
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\biI.inf
Adware:adware/comet Not disinfected C:\WINDOWS\inf\CC_43.PNF
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\satmat.inf
Adware:Adware/WUpd Not disinfected C:\WINDOWS\Downloaded Program Files\WinadX.inf
Dialer:Dialer.OK Not disinfected C:\WINDOWS\Downloaded Program Files\internazionale_ver3.INF
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\satmat.ini
Adware:Adware/SecurityError Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\0J78VNFY\allsecuritysite[1].html
Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\USER\My Documents\Ashleigh\Local Settings\Temporary Internet Files\Content.IE5\0HELYV8B\CSSSINST[1].DL_[C:\Documents and Settings\USER\My Documents\Ashleigh\Local Settings\Temporary Internet Files\Content.IE5\0HELYV8B\CSSSINST[1].DLl
Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\USER\My Documents\Ashleigh\Local Settings\Temporary Internet Files\Content.IE5\WNULGB8T\CSIEINST[1].DL_[C:\Documents and Settings\USER\My Documents\Ashleigh\Local Settings\Temporary Internet Files\Content.IE5\WNULGB8T\CSIEINST[1].DLl
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\USER\Cookies\user@casalemedia[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@overture[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@doubleclick[2].txt
Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@www.teensforcash[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@com[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@ccbill[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@tribalfusion[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@tradedoubler[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@ad.yieldmanager[1].txt
Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@teensforcash[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@media.fastclick[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@ads.pointroll[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@mediaplex[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@realmedia[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@casalemedia[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@cs.sexcounter[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@burstnet[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@serving-sys[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@bs.serving-sys[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@questionmarket[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@112.2o7[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@fastclick[2].txt
Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\uninstall.exe
Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\My.Emo
Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\UMEP.EXE

#14 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:17 AM

Posted 07 February 2007 - 12:12 AM

Is that the full log - it appears to have been cut off?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#15 Alya

Alya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 07 February 2007 - 05:56 AM

That is the entire log that it saved onto my computer, yeah..It does look cut off though. did you want me to run the scan again?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users