Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kernel32.dll And Shell32.dll Changed


  • This topic is locked This topic is locked
12 replies to this topic

#1 tiny_tim

tiny_tim

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 25 February 2007 - 12:31 AM

AVG scan of computer resulted in the following messages: kernel32.dll has been changed, shell32.dll has been changed, error reading hosts/reading error.
Scan of system with HouseCall by TrendMicro resulted in all open browser windows being spontaneously closed when scan had not been fully completed. I repeated trendmicro scan twice more, with the exact same results (browser window would spontaneously close mid-way through the scan)
Is this a problem?? System has not been running well.....system boots really slow on start-up, and i've noticed occasional bugs in several programs; specifically my ATI video tuner, among others.

PLEASE HELP !!

Logfile of HijackThis v1.99.1
Scan saved at 9:10:53 PM, on 2/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\vmwtwpdv\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\vmwtwpdv\winlogon.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Epson all-in-one Registration.lnk = E:\Titles\Ereg\EPSONREG.exe
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://pjjones.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:56 PM

Posted 26 February 2007 - 12:35 PM

Hello tiny_tim, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:56 PM

Posted 27 February 2007 - 09:33 AM

OK. Let's get to work! :thumbsup:

IMPORTANT
It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled your firewall, please re-enable it.
If you do not have a firewall installed, please download and install one of these good (and free) products:
- ZoneAlarm Free
- Outpost Firewall Free
- Kerio

NOTE: Never install more than one firewall program on your system. Several together can give problems and decrease the reliability of it seriously.

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1
You have Windows Defender running on your machine and that is good. However, Windows Defender real-time protection can interfere with the changes you will make on your system, so please follow these instructions to temporarily disable Windows Defender real-time protection:
1. Open Windows Defender.
2. Click Tools, and then click General Settings.
3. Scroll down and uncheck the checkbox labelled "Turn on real-time protection (recommended)".
4. Click Save.
5. Close Windows Defender.

You can re-enable Windows Defender real-time protection once your system is clean.

Step #2
You need to update your Sun Java Console. Older versions have vulnerabilities that malware can and are using to infect systems.
Please perform these instructions to update your Sun Java Console:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and check any item with Java Runtime Environment (JRE) in the name.
3. Click the Remove or Change/Remove button next to these items to remove all versions of Java.
4. Reboot your computer.
5. Download and install the latest version of Java Runtime Environment (JRE) 6 (click).

Step #3
Please download MsnVirRem.exe to your Desktop by clicking the download link below.
Download MsnVirRem.exe

Now please perform these instructions:
1. Close any other programs you have running as this will require a reboot.
2. Double-click MsnVirRem.exe to run the program.
3. Once open, click the button labelled "Search and Destroy".
4. When scanning is finished you will be prompted to reboot only if infected. Click OK.
5. Now click the Reboot Button.

After the reboot, you WILL receive "file not found"-errors (usually 4): please acknowledge them and continue.
A message should pop up from MsnVirRem. If not, double-click the program again and it will finish.

Please post the entire contents of C:\msnvirrem.log as a reply to this post.

Step #4
Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
F3 - REG:win.ini: load=C:\WINDOWS\system32\vmwtwpdv\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\vmwtwpdv\winlogon.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Startup: winlogon.lnk = ?


Close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

Step #5
First enable the viewing of hidden files in Windows XP by following these steps:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following directory (do not be concerned if it does not exist):
C:\WINDOWS\system32\vmwtwpdv

Reboot your computer to boot back into normal mode.

Step #6
Download ComboScan to your Desktop by clicking the download link below.
Download comboscan.exe

Now follow these instructions to run the program:
1. Close all programs/windows so that you have nothing open and are at your Desktop.
2. Double-click comboscan.exe to run ComboScan, and follow the on-screen prompts.
3. When the scan is complete, a text file will open: ComboScan.txt. Copy and paste the entire contents of ComboScan.txt as a reply to this thread.
4. A folder, C:\ComboScan, will also open. In it will be another text file: Supplementary.txt. Copy and paste the entire contents of Supplementary.txt to your post as well.
NOTE: Use several posts if necessary to include everything in the logs.

Step #7
Scan with HijackThis again and post a new HijackThis log.
Also let me know how your computer is running.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#4 tiny_tim

tiny_tim
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 27 February 2007 - 11:00 AM

MsnVirRem Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Jeremy Jones\Desktop
2/27/2007
7:42:19 AM

---Infection Files Found---
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\netstat.com

Rebooting...
Fixing Registry Permissions...
Editing Registry...
Fixing Host File...
**Fix Complete!**

**************************************STEP 4 PROBLEMS !!! ***************************************

....I truly appreciate your help so far, but have encountered a problem.

During step 4 (re-scan of Hijackthis) I was unable to fix/delete file-
O4 - Startup: winlogon.lnk = ?
I received 'unexpected error': Error #52 in Subgetlongpath (?.exe)

Next prompt was to use task manager to shut down the appropriate program-- but I'm not sure what program it is referring to.

ALSO, I know this may not make any difference, BUT

F3 - REG:win.ini: load=C:\WINDOWS\system32\vmwtwpdv\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\vmwtwpdv\winlogon.exe

...were not in the HijackThis log for me to fix/delete...just fyi

So what is my next step?? or can i just proceed from here?

Edited by tiny_tim, 27 February 2007 - 11:30 AM.


#5 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:56 PM

Posted 28 February 2007 - 08:19 AM

Good job so far, tiny_tim. :thumbsup:
Now please continue with the instructions below.

IMPORTANT
You have a W32/Alcan.worm!p2p infection. The worm attempts to spread to remote network shares. It also contains backdoor trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background.
It spreads to network shares with weak passwords as a result of the backdoor trojan element receiving the appropriate command from a remote user.

Due to the status of some of the files you have on your computer, I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer from the internet until the computer can be cleaned. Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable - for email, banks, eBay, forums, etc. Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.


Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1
Please download SDFix and save it to your Desktop.
Download SDFix.exe

Once downloaded, double-click SDFix.exe and it will extract the files to %systemdrive%, the drive that contains the Windows directory (typically C:\SDFix). Do not do anything with the extracted files yet!

Step #2
Please download AVG Anti-Spyware 7.5 from the link below and save it to your Desktop.
Download AVG Anti-Spyware 7.5

Once downloaded, locate the icon on your Desktop and double-click on it to launch the setup program. Follow the on-screen instructions to install AVG Anti-Spyware.

Before running AVG Anti-Spyware, it is mandatory that you update its definition files. Follow these instructions to update and configure the program:
1. Start AVG Anti-Spyware.
2. Click the Update icon at the top of the screen. On the newly presented screen, click the button labelled "Start Update". The update process will start.
3. Once the update has completed, select the Scanner icon at the top of the screen, followed by clicking the Settings tab.
4. In the newly presented screen, click on the link named "Recommended actions" and then select the Quarantine option.
5. Under Reports, select the radio button labelled "Automatically generate report after every scan". Unselect the checkbox labelled "Only if threats were found".
6. Close AVG Anti-Spyware 7.5. Do not perform a scan yet!

Step #3
Download Brute Force Uninstaller (BFU) to your Desktop by clicking the download link below.
Download bfu.zip

Now please unzip/extract bfu.zip to its own directory on the C: drive by following these steps:
1. Navigate to the C: drive using Windows Explorer or My Computer.
2. Right-click in the folder window and select New > Folder.
3. Name the folder to "BFU" (without the quotation marks).
4. Unzip/Extract bfu.zip to the new folder named BFU in this location: C:\BFU.
NOTE: BFU.exe is now located in C:\BFU.

In order to download alcanshorty.bfu, right-click HERE and choose "Save As" (in IE it is "Save Target As").
Save alcanshorty.bfu in your C:\BFU folder.

Do not run the Uninstaller and the Remover yet!

Step #4
Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

When in Safe Mode, please follow these instructions to run AVG Anti-Spyware:
1. Close all windows so that you have nothing open and lauch AVG Anti-Spyware by double-clicking the program's icon.
2. Click the Scanner icon at the top of the screen and select the Scan tab.
3. Click on the "Complete System Scan" icon and AVG Anti-Spyware will begin the scanning process. Be patient as this may take some time.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess.
4. When the scan has finished, AVG Anti-Spyware will list any infections found on the left-hand side. It should automatically set the recommended action to Quarantine.
5. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right-hand side.
6. Click on the button labelled "Save Report", followed by pressing the "Save Report As" button. This will create a text file. Make sure you know where to find this file again.
7. Close AVG Anti-Spyware. Do NOT reboot.

Step #5
When still in Safe Mode, execute the alcanshorty.bfu script with the Brute Force Uninstaller by following these steps:
1. Go to Start > My Computer and navigate to C:\BFU.
2. Start the Brute Force Uninstaller by double-clicking the BFU.exe file.
3. Next to the Scriptfile to execute: field, click the folder icon and select alcanshorty.bfu.
4. Click Execute and let the program do it's job. (You ought to see a progress bar if you did this correctly).
5. Wait for the complete script execution box to pop up and press OK.
6. Click the option to save a log file.
7. Press Exit to terminate the BFU program.

Step #6
First enable the viewing of hidden files in Windows XP - when still in Safe Mode - by following these steps:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Now delete the following directory (do not be concerned if it does not exist):
C:\WINDOWS\system32\vmwtwpdv <-- this folder

Step #7
When still in Safe Mode, open the SDFix folder (C:\SDFix) and double click RunThis.bat to start the script.
Type Y to begin the cleanup process. It will remove any Trojan services or registry entries that it finds and prompt you to press any key to reboot.
Press any key and it will restart the PC.
When the PC restarts, the fixtool will run again and complete the removal process then display Finished; press any key to end the script and load your Desktop icons.
Once the Desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to the Clipboard ready for posting back on the forum).

Please copy/paste the entire contents of the results file (Report.txt) in your next reply.

Also copy/paste the entire contents of the AVG Anti-Spyware text file you saved earlier and post them here for review.

Step #8
Scan with HijackThis again and post a new HijackThis log.
Also let me know how your computer is running.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#6 tiny_tim

tiny_tim
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 03 March 2007 - 09:12 PM

Ok htv8 .... I was able to successfully complete as instructed ... i hope!! Here are my log/scan files as requested.

SDfix Scan:

SDFix: Version 1.69

Run by Administrator - Sat 03/03/2007 @ 17:47:01.85

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:





Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\Jeremy Jones\Start Menu\Programs\Startup\winlogon.lnk - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp

Add/Remove Programs List:

Windows Driver Package - MSN (usbccgp) USB (04/19/2006 1.1.0.2)
Adobe Acrobat 5.0
ATI - Software Uninstall Utility
ATI Display Driver
AVG Free Edition
AVG Anti-Spyware 7.5
EPSON Printer Software
EPSON Scan
HijackThis 1.99.1
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
InCD
ATI Multimedia Center 9.13
DAO
iPod for Windows 2006-06-28
DAO
iPod for Windows 2005-09-23
ATI Decoder
Microsoft Base Smart Card Cryptographic Service Provider Package
K-Lite Codec Pack 2.70 Full
MailFrontier Desktop
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
MSN Music Assistant
MSN
Nero OEM
Microsoft National Language Support Downlevel APIs
PokerStars
Intel® PRO Network Adapters and Drivers
Adobe Flash Player 9 ActiveX
EPSON CX 4200 4800 Guide
Spybot - Search & Destroy 1.4
Creative System Information
Windows Genuine Advantage Validation Tool
Winamp (remove only)
Windows Media Connect
Microsoft User-Mode Driver Framework Feature Pack 1.0
Yahoo! Messenger
ZoneAlarm
Macromedia Flash Player
Picture Package
Multimedia Launcher
J2SE Runtime Environment 5.0 Update 11
ATI Multimedia Center
DAO
iTunes
Adober Photoshopr Album Starter Edition 3.0
QuickTime
Creative MediaSource
Windows Live Messenger
Sony USB Driver
PowerDVD
Microsoft .NET Framework 2.0
Sound Blaster Live! 24-bit
Ad-Aware SE Personal
ATI Parental Control & Encoder
Microsoft Office Professional Edition 2003
ATI Parental Control & Encoder
Windows Defender
Apple Software Update
Windows Defender Signatures
Adobe Reader 7.0.9
PowerProducer
DVD Solution
iPod for Windows 2006-06-28
DAO
ATI Catalyst Control Center
Microsoft .NET Framework 1.1
ArcSoft PhotoImpression 5
iPod for Windows 2005-09-23
Logitech Mobile Video
ATI Decoder
Windows Live Sign-in Assistant
TitanTV Client components for ATI
ImageMixer VCD2

Finished

My AVG scan showed no evidence of infection :

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:34:15 PM 3/3/2007

+ Scan result:



Nothing found.



::Report end

AND FINALLY....my HijackThis log :

Logfile of HijackThis v1.99.1
Scan saved at 6:01:52 PM, on 3/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Epson all-in-one Registration.lnk = E:\Titles\Ereg\EPSONREG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://pjjones.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I have not had a chance to asess how my system is running; I wanted to post results ASAP. Does everything look as it should so far?? and what is my next step??

Thanks again.

#7 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:56 PM

Posted 06 March 2007 - 03:50 PM

Hello tiny_tim.
Your log looks much better than before, but we are not quite done yet. We are making good progress, though!

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


Step #1: PokerStars
I see PokerStars installed. If you installed this program yourself, and use it to play poker online, please leave this program alone. However, if you do not use it, I recommend removing the program because in most cases, these programs are supported by malware, getting installed without asking for it. They also lead you to sites where malware is lurking.
I stronly recommend you to get rid of it. If you agree, go to Start > Control Panel > Add/Remove Programs and remove PokerStars if present.

Step #2: updating Sun Java Console
You have not updated your Sun Java Console. Older versions have vulnerabilities that malware can and are using to infect systems.
Please perform these instructions to update your Sun Java Console:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and uninstall J2SE Runtime Environment 5.0 Update 11.
3. Reboot your computer.
4. Download and install the latest version of Java Runtime Environment (JRE) 6 (click).

Step #3: Panda ActiveScan
Please perform an online scan by running Panda's ActiveScan (click).
Follow these instructions:
1. Click on the Scan your PC button once you are on the Panda site. A new window will open.
2. On the newly presented screen, click the Check Now button.
3. Enter your Country.
4. Enter your State/Province.
5. Enter your E-mail Address and click the Send button.
6. Select either Home User or Company.
7. Click the big Scan Now button. If it prompts to install an ActiveX component, allow it.
Panda Software will start downloading the files it requires for the scan. NOTE: This may take a couple of minutes!
8. When the download is complete, click on My Computer to start the scan.
9. When the scan completes - if anything malicious is detected - click the See Report button.
10. Click Save Report and save it to a convenient location easy to remember.
11. Post the entire contents of Panda's ActiveScan report here as a reply to this post.

Step #4: ComboScan
Download ComboScan to your Desktop by clicking the download link below.
Download comboscan.exe

Now follow these instructions to run the program:
1. Close all programs/windows so that you have nothing open and are at your Desktop.
2. Double-click comboscan.exe to run ComboScan, and follow the on-screen prompts.
3. When the scan is complete, a text file will open: ComboScan.txt. Copy and paste the entire contents of ComboScan.txt as a reply to this thread.
4. A folder, C:\ComboScan, will also open. In it will be another text file: Supplementary.txt. Copy and paste the entire contents of Supplementary.txt to your post as well.
NOTE: Use several posts if necessary to include everything in the logs.

Step #5: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#8 tiny_tim

tiny_tim
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 22 March 2007 - 04:01 PM

Hey there....i've been away on vacation for 2 weeks and my bro-in-law has been on my system. Now it is running slower than ever. Probably the porno he downloaded....sick f*ck

Here are the most recent scans:


Incident Status Location

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@247realmedia[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@2o7[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@atwola[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@burstnet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@casalemedia[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@com[1].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@counter.hitslink[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@counter13.sextracker[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@doubleclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@fastclick[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@findwhat[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@hitbox[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@kinghost[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@server.iad.liveperson[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@sextracker[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@statcounter[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@statse.webtrendslive[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@tribalfusion[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@www.myaffiliateprogram[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jeremy Jones\Cookies\jeremy_jones@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeremy Jones\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe

ComboScan v20070306.20 run by Jeremy Jones on 2007-03-22 at 13:45:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created ComboScan Restore Point.


-- Last 5 Restore Point(s) --
26: 2007-03-22 20:46:17 UTC - RP26 - ComboScan Restore Point
25: 2007-03-22 19:28:10 UTC - RP25 - Installed Java™ SE Runtime Environment 6
24: 2007-03-22 19:19:08 UTC - RP24 - Installed Java™ SE Development Kit 6
23: 2007-03-22 12:40:27 UTC - RP23 - System Checkpoint
22: 2007-03-21 09:20:15 UTC - RP22 - Software Distribution Service 2.0


-- First Restore Point --
1: 2007-03-04 21:56:11 UTC - RP1 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Jeremy Jones.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:47:13 PM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Documents and Settings\Jeremy Jones\Local Settings\Temporary Internet Files\Content.IE5\QJMZB9JD\comboscan[1].exe
C:\PROGRA~1\HIJACK~1\Jeremy Jones.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Epson all-in-one Registration.lnk = E:\Titles\Ereg\EPSONREG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://pjjones.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070227-080423-127 O4 - Startup: winlogon.lnk = ?
backup-20070227-080423-958 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070227-080833-351 O4 - Startup: winlogon.lnk = ?
backup-20070227-080937-632 O4 - Startup: winlogon.lnk = ?
backup-20070227-091736-401 O4 - Startup: winlogon.lnk = ?

-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
3R ATIAVAIW (ATI T200 Unified AVStream service) - C:\WINDOWS\system32\drivers\atinavt2.sys
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R Avg7Core (AVG7 Kernel) - C:\WINDOWS\system32\drivers\avg7core.sys
1R Avg7RsW (AVG7 Wrap Driver) - C:\WINDOWS\system32\drivers\avg7rsw.sys
1R Avg7RsXP (AVG7 Resident Driver XP) - C:\WINDOWS\system32\drivers\avg7rsxp.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys
1R AvgClean (AVG7 Clean Driver) - C:\WINDOWS\system32\drivers\avgclean.sys
2R AvgTdi (AVG Network Redirector) - C:\WINDOWS\system32\drivers\avgtdi.sys
3S CCDECODE (Closed Caption Decoder) - C:\WINDOWS\system32\drivers\CCDECODE.sys
1R cdrbsdrv - C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
3R ctsfm2k (Creative SoundFont Management Device Driver) - C:\WINDOWS\system32\drivers\ctsfm2k.sys
3R E100B (Intel® PRO Adapter Driver) - C:\WINDOWS\system32\drivers\e100b325.sys
3R FVNETusb (Linksys Wireless-B USB Network Adapter v2.8 Driver) - C:\WINDOWS\system32\drivers\vnet58lx.sys
3R GEARAspiWDM - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
4R InCDfs (InCD File System) - C:\WINDOWS\system32\drivers\InCDfs.sys
1R InCDPass - C:\WINDOWS\system32\drivers\InCDpass.sys
1R incdrm (InCD Reader) - C:\WINDOWS\system32\drivers\InCDrm.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
3S MPE (BDA MPE Filter) - C:\WINDOWS\system32\drivers\MPE.sys
3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINDOWS\system32\drivers\MSTEE.sys
3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINDOWS\system32\drivers\NABTSFEC.sys
3S NdisIP (Microsoft TV/Video Connection) - C:\WINDOWS\system32\drivers\NdisIP.sys
3R ossrv (Creative OS Services Driver) - C:\WINDOWS\system32\drivers\ctoss2k.sys
3R P17 (Sound Blaster Live! 24-bit) - C:\WINDOWS\system32\drivers\P17.sys
3R pfc (Padus ASPI Shell) - C:\WINDOWS\system32\drivers\pfc.sys
3R QCMerced (Logitech QuickCam Express) - C:\WINDOWS\system32\drivers\lvcm.sys
3S SLIP (BDA Slip De-Framer) - C:\WINDOWS\system32\drivers\SLIP.sys
3S SONYPVU1 (Sony USB Filter Driver (SONYPVU1)) - C:\WINDOWS\system32\drivers\SONYPVU1.SYS
0R srescan - C:\WINDOWS\system32\ZoneLabs\srescan.sys
3S streamip (BDA IPSink) - C:\WINDOWS\system32\drivers\StreamIP.sys
2R tmcomm - C:\WINDOWS\system32\drivers\tmcomm.sys
3R usbaudio (USB Audio Driver (WDM)) - C:\WINDOWS\system32\drivers\USBAUDIO.sys
3R usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
1R vsdatant - C:\WINDOWS\system32\vsdatant.sys
3S WSTCODEC (World Standard Teletext Codec) - C:\WINDOWS\system32\drivers\WSTCODEC.SYS
3S WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINDOWS\system32\drivers\WudfPf.sys
3S WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - C:\WINDOWS\system32\drivers\WudfRd.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
2R Ati HotKey Poller - C:\WINDOWS\system32\Ati2evxx.exe
2S ATI Smart - C:\WINDOWS\system32\ati2sgag.exe
2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2R Avg7Alrt (AVG7 Alert Manager Server) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
2R Avg7UpdSvc (AVG7 Update Service) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
2R AVGEMS (AVG E-mail Scanner) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
3S clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
2R Creative Service for CDROM Access - C:\WINDOWS\system32\CTsvcCDA.exe
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
2R InCDsrv (InCD Helper) - C:\Program Files\Ahead\InCD\InCDsrv.exe
3R iPod Service - "C:\Program Files\iPod\bin\iPodService.exe"
3S ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
3R usnjsvc (Messenger Sharing Folders USN Journal Reader service) - "C:\Program Files\MSN Messenger\usnsvc.exe"
2R vsmon (TrueVector Internet Monitor) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
2R WinDefend (Windows Defender) - "C:\Program Files\Windows Defender\MsMpEng.exe"
2R WMDM PMSP Service - C:\WINDOWS\system32\MsPMSPSv.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-03-22 02:52:21 436 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{F17115ED-6CD6-4FB5-A91C-9E5C31AA3CFE}.job<USER_F~1.JOB>
2007-03-22 02:20:23 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB>
2007-03-18 10:20:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-02-22 and 2007-03-22 -----------------------------

2007-03-22 12:34:09 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-22 12:34:05 0 d-------- C:\WINDOWS\LastGood
2007-03-22 12:14:20 0 d-------- C:\Documents and Settings\Jeremy Jones\.SunDownloadManager<SUNDOW~1>
2007-03-18 20:00:54 0 d-------- C:\Program Files\iTunes
2007-03-03 19:44:50 0 d-------- C:\Documents and Settings\Guest\Application Data\Apple Computer<APPLEC~1>
2007-03-03 19:38:56 266360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-03-03 18:38:40 0 d-------- C:\bintheredunthat<BINTHE~1>
2007-03-03 17:46:08 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-03-03 17:35:03 0 d-------- C:\SDFix
2007-03-03 17:30:53 0 d-------- C:\BFU
2007-03-03 17:25:01 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-27 08:36:42 0 d-------- C:\Program Files\Common Files\Java
2007-02-27 07:50:42 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-02-27 07:50:24 75512 --a------ C:\WINDOWS\zllsputility.exe<ZLLSPU~1.EXE>
2007-02-27 07:50:24 11264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-02-27 07:49:59 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-02-27 07:49:58 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-02-27 07:49:19 0 d-------- C:\WINDOWS\Internet Logs<INTERN~1>
2007-02-24 20:09:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-24 19:30:01 0 d-------- C:\Documents and Settings\Jeremy Jones\Application Data\Lavasoft
2007-02-24 19:29:46 0 d-------- C:\Program Files\Lavasoft
2007-02-24 19:29:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-22 13:26:19 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-03-22 13:26:16 0 d-------- C:\Program Files\Winamp
2007-03-22 13:25:47 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-22 13:24:55 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-03-22 13:13:14 0 d-------- C:\Program Files\ATI Multimedia<ATIMUL~1>
2007-03-22 12:28:21 0 d-------- C:\Program Files\Java
2007-03-18 20:00:59 0 d-------- C:\Program Files\iPod
2007-03-06 18:27:48 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>
2007-03-03 21:25:51 0 d-------- C:\Program Files\PokerStars<POKERS~1>
2007-03-03 20:24:38 0 d-------- C:\Documents and Settings\Jeremy Jones\Application Data\AVG7
2007-03-03 17:24:58 0 d-------- C:\Program Files\Grisoft
2007-02-21 18:10:58 0 d-------- C:\Documents and Settings\Jeremy Jones\Application Data\AdobeUM
2007-02-21 18:10:57 0 d-------- C:\Program Files\Common Files\Adobe
2007-02-18 18:17:36 0 d-------- C:\Documents and Settings\Jeremy Jones\Application Data\Creative
2007-02-18 18:14:34 0 d-------- C:\Documents and Settings\Jeremy Jones\Application Data\ATI MMC<ATIMMC~1>
2007-02-15 23:02:56 0 d-------- C:\Program Files\Yahoo!
2007-01-30 03:05:50 0 d-------- C:\Documents and Settings\Jeremy Jones\Application Data\MSNInstaller<MSNINS~1>
2007-01-30 00:32:02 0 d-------- C:\Documents and Settings\Jeremy Jones\Application Data\Help
2007-01-29 01:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-19 13:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-12 10:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-12 10:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
2007-01-12 10:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
2007-01-12 10:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
2007-01-08 20:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
2007-01-08 20:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-01-08 20:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-01-08 20:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-08 20:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-08 20:02:02 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll
2007-01-08 20:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-01-08 20:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-08 20:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 20:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-08 19:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-08 19:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
@=""
"ATI Launchpad"=""
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"PowerBar"=""
"winlogon"=""
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"P17Helper"="Rundll32 P17.dll,P17Helper"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"RemoteControl"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"EPSON Stylus CX4200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE /P26 \"EPSON Stylus CX4200 Series\" /O6 \"USB001\" /M \"Stylus CX4200\""
"CTSysVol"="C:\\Program Files\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
"NoAdminPage"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of ComboScan: finished at 2007-03-22 at 13:48:05 ------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:02:59 PM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Epson all-in-one Registration.lnk = E:\Titles\Ereg\EPSONREG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://pjjones.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




HELP ME !!!

Maybe it is time to invest in a Mac !!

Edited by tiny_tim, 22 March 2007 - 04:07 PM.


#9 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:56 PM

Posted 23 March 2007 - 07:54 AM

OK. As things may have changed due to your inactivity and your bro-in-law's surfing, please give me some time to look over your log files and I will get back to you as soon as posible.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#10 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:56 PM

Posted 25 March 2007 - 12:02 PM

Hello there again.

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: temporarily disabling Windows Defender
You have Windows Defender running on your machine and that is good. However, Windows Defender real-time protection can interfere with the changes you will make on your system. If not already disabled, please follow these instructions to temporarily disable Windows Defender real-time protection:
1. Open Windows Defender.
2. Click Tools, and then click General Settings.
3. Scroll down and uncheck the checkbox labelled "Turn on real-time protection (recommended)".
4. Click Save.
5. Close Windows Defender.

You can re-enable Windows Defender real-time protection once your system is clean.

Step #2: HijackThis scan
Scan again with HijackThis. Put a checkmark by this entry if it is present, double-checking to be sure that only this entry is checked:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

Step #3: ATF Cleaner download
Please download ATF Cleaner from the link below, but do not use the program yet.
Download ATF Cleaner

Step #4: file/folder deletion
If not already enabled, please follow these steps to enable the viewing of hidden files in Windows XP:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

If you uninstalled PokerStars as recommended in my previous post, please delete this folder if it is present:
C:\Program Files\PokerStars <-- this folder

Did you uninstall J2SE Runtime Environment 5.0 Update 11 as told to in my previous post? If so, please delete this folder if it is present:
C:\Program Files\Java\jre1.5.0_11 <-- this folder
NOTE: If you did not uninstall it in my previous post, please uninstall J2SE Runtime Environment 5.0 Update 11 now by going to Start > Control Panel > Add/Remove Programs. Then delete the folder.

Step #5: running ATF Cleaner
You downloaded ATF Cleaner before. When still in Safe Mode, please follow these instructions to run ATF Cleaner:
1. Double-click ATF-Cleaner.exe to run the program.
2. Click once on the Main tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
3. Then click on the button labelled "Empty Selected".

If you use the Mozilla Firefox browser, please follow these instructions as well:
1. Click once on the Firefox tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser, please follow these instructions as well:
1. Click once on the Opera tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Now click the Exit button on the Main tab to exit the program.
Reboot your computer back into normal mode.

Step #6: registry fix
I want you to back up the registry, because we are going to make a few changes to it. Please follow these steps to export the registry key we want to back up to a .reg file:
1. Close all programs so that you have nothing open and are at the Desktop.
2. Go to Start > Run.
3. In the Run: field copy/paste the entire contents inside the QUOTE box below and press the OK button.

regedit /e registry.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"

Now a secure backup copy has been made, I want you to download the attached file called regfix.reg. Please download it and save the file to your Desktop.
Attached File  regfix.reg   79bytes   12 downloads
Now go to the Desktop and double-click regfix.reg. When prompted to merge its contents to the registry, click the Yes button.

Step #7: Kaspersky Online Scanner
Please perform an online scan with Kaspersky Online Scanner (click).
Follow these instructions:
1. Click on the button labelled "Kaspersky Online Scanner".
2. You will be prompted to install an ActiveX component from Kaspersky. Install it.
3. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT.
4. Now click on "Scan Settings".
5. In the scan settings, make sure the following are selected:

Scan using the following Anti-Virus database:
Extended (if available, otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

6. Click OK.
7. Now under select a target to scan, select My Computer.

The program will start and scan your system.
NOTE: The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected. Click on the button labelled "Save as Text" and save a text file to your Desktop. Copy and paste that information in your next post.

Step #8: ComboScan
If not already downloaded, download ComboScan to your Desktop by clicking the download link below.
Download comboscan.exe

Now follow these instructions to run the program:
1. Close all programs/windows so that you have nothing open and are at your Desktop.
2. Double-click comboscan.exe to run ComboScan, and follow the on-screen prompts.
3. When the scan is complete, a text file will open: ComboScan.txt. Copy and paste the entire contents of ComboScan.txt as a reply to this thread.
4. A folder, C:\ComboScan, will also open. In it will be another text file: Supplementary.txt. Copy and paste the entire contents of Supplementary.txt to your post as well.
NOTE: Use several posts if necessary to include everything in the logs.

Step #9: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.
Also let me know how your computer is running now.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#11 tiny_tim

tiny_tim
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 14 April 2007 - 02:15 AM

Hi again....

I have taken the EXACT steps that you requested this time, however ran into a catch at step 6; registry fix. After downloading the file to my desktop and attempting to run the file, i recieved an error message "....the specified file is not a registry script. you can only import binary registry files from within the registry editor."

What next ?? I'm pretty sure i did not screw anything up this time as i reviewed the instructions several times to ensure i did not miss anything.

#12 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:56 PM

Posted 16 April 2007 - 08:53 AM

Hello, tiny_tim. Welcome back.

Apparently, I made a little mistake. Sorry for that. I have attached new regfix.reg file which I want you to download and run instead. Please download it and save the file to your Desktop.
Attached File  regfix.reg   91bytes   5 downloads
Now go to the Desktop and double-click regfix.reg. When prompted to merge its contents to the registry, click the Yes button.

Once done, continue with the rest of the instructions.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#13 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:56 PM

Posted 29 April 2007 - 11:40 AM

Due to the lack of feedback, this topic is closed.
To get it reopened, PM a staff member with the address of this thread. This applies to the original topic starter only. Everyone else with similar problems, please start a new topic. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users