Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adsnt.exe (nasty... Need Help Thanks)


  • Please log in to reply
19 replies to this topic

#1 masterarchitect

masterarchitect

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 20 March 2007 - 03:32 PM

Hi there, can you please have a look at my logfile. I have attempted to delete AdsNT.exe manually and through Spybot and Prevx... but with no real success so far. Every time I reboot there are auto loads of internet sites and my internet connection is being used to the point that my PC is at 100% usage. Advice and help appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 2:35:48, on 20/3/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Maximizer\MxFinder.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\MSRundll.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {2c2cee5d-7622-4c36-8b0d-4e03f37a8dbf} - C:\WINDOWS\System32\4c36cfsb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: URLDetector Class - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: IEInit Class - {5B02EBA1-EFDD-477D-A37F-05383165C9C0} - C:\WINDOWS\System32\drivers\usrinit.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {a9baccb6-1413-422c-ae2b-1b294ae19f4f} - C:\WINDOWS\System32\422cntos.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WindowBlinds] C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbload.exe auto
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [rundll32] C:\Program Files\Common Files\rundll32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: ruango.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://vanmappub.vancouver.ca/download/mgaxctrl.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: tuvuv - C:\WINDOWS\
O23 - Service: Abieliok - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GBPoll - Unknown owner - C:\Program Files\Roxio\GoBack\GBPoll.exe (file missing)
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\ICDSPTSV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax PRO (wfxsvc) - Unknown owner - C:\WINDOWS\System32\WFXSVC.EXE (file missing)


(**Note: AdsNT.exe is Trojan.DownLoader.316.
**)

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 20 March 2007 - 04:44 PM

Welcome to the BleepingComputer HijackThis forum masterarchitect :thumbsup:

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

********************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply,along with a new Hijackthis log.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Posted Image
Posted Image

#3 masterarchitect

masterarchitect
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 20 March 2007 - 05:05 PM

Thanks! I will try this when I get home where my infected PC is. I use IE 6 btw. I have to note that there seems to be more than one version of this .exe program in multiple C:\\ locations each time I thought I fixed it before coming to this forum. Thanks again! Will come back to see if it worked.

(PS Do I need to reboot after doing all this? Thanks.)

(PPS I am not able to send a file from my computer to my USB drive due to this infection. A message tells me to check whether the file is write-protected even though the file is set to archive mode. Seems like this infection affects how my files work too. Also I am not able to access my Yahoo mail on the net, because I stubbornly attempted to delete some malicious reg's through HijackThis. Any advice as well? Thanks :thumbsup: )

Edited by masterarchitect, 20 March 2007 - 09:30 PM.


#4 masterarchitect

masterarchitect
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 20 March 2007 - 10:10 PM

Okay I have cleared all files with ATF Cleaner, and I've run Vundo, but there seems to be no files found according to a first scan. I'm now attempting another scan... but looks like it's not just vundo... posting logs from hijackthis and vundo (pop-up still there, from a couple of websites in China... :thumbsup: :flowers: ):


VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 19:16:17 20/3/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 20:00:10 20/3/2007

Listing files found while scanning....





Logfile of HijackThis v1.99.1
Scan saved at 20:04:49, on 20/3/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Maximizer\MxFinder.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\cs.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\AdsNT.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Documents and Settings\Po-wah\Desktop\VundoFix.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {2c2cee5d-7622-4c36-8b0d-4e03f37a8dbf} - C:\WINDOWS\System32\4c36cfsb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: URLDetector Class - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: IEInit Class - {5B02EBA1-EFDD-477D-A37F-05383165C9C0} - C:\WINDOWS\System32\drivers\usrinit.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {a9baccb6-1413-422c-ae2b-1b294ae19f4f} - C:\WINDOWS\System32\422cntos.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WindowBlinds] C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbload.exe auto
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [rundll32] C:\Program Files\Common Files\rundll32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ruango.lnk = ?
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://vanmappub.vancouver.ca/download/mgaxctrl.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: tuvuv - C:\WINDOWS\
O23 - Service: Abieliok - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GBPoll - Unknown owner - C:\Program Files\Roxio\GoBack\GBPoll.exe (file missing)
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\ICDSPTSV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax PRO (wfxsvc) - Unknown owner - C:\WINDOWS\System32\WFXSVC.EXE (file missing)


>>>I just noticed AdsNT.exe is STILL there: C:\WINDOWS\AdsNT.exe :huh: Advice and further assistance appreciated!

Edited by masterarchitect, 20 March 2007 - 10:15 PM.


#5 masterarchitect

masterarchitect
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 20 March 2007 - 10:42 PM

Yeah, I've finished scanning with VundoFix for the second time but still no results... wondering if there is another problem? I'm gonng try removing with Prevx again and see if it's there. I really am having problems with the pop-ups. :thumbsup: Thanks.

>>Oh yeah one of the sites that pops up is www.comewz.com/qq.

Edited by masterarchitect, 20 March 2007 - 10:44 PM.


#6 masterarchitect

masterarchitect
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 20 March 2007 - 11:43 PM

Dang! :thumbsup: Pop-ups are still here! What do I do? I've also noticed that that a suspicious program named "cs.exe" is running in my task manager. I believe I've been infected by a trojan from a Chinese domain that launches Chinese sites. Please advise. Thanks.

Edited by masterarchitect, 21 March 2007 - 01:16 AM.


#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 21 March 2007 - 03:22 AM

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply,along with a new Hijackthis log please. (You can use Notepad to open the DrWeb.cvs report)
Posted Image
Posted Image

#8 masterarchitect

masterarchitect
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 21 March 2007 - 10:13 PM

OUCH!!! >.< I am taken aback by what Dr.Web found: at least 7 different trojans and many infected files and alot of adware. A total of 117 files found to be either infected or the intruders. I just have one more question, does Dr.Web tell you that it's finished with the message: "Scan interrupted by user! Viruses found"? I didn't touch anything but that's how it stopped by itself. Here are both reports:

autoup.exe;c:\windows;Adware.DealHelper;Moved.;
40c6ntos.dll;c:\windows\system32;Adware.Baidu;Moved.;
4ac5cfsb.dll;c:\windows\system32;Trojan.DownLoader.18133;Deleted.;
usrinit.dll;c:\windows\system32\drivers;Adware.Dmedia;Moved.;
trtbc.dll;c:\windows\system32;Adware.Tencent;Will be moved after reboot.;
usrinit.exe;c:\windows\system32;Trojan.DownLoader.19717;Deleted.;
~deC.tmp\data005;C:\~deC.tmp;Adware.Borlander;;
~deC.tmp;C:\;Archive contains infected objects;Moved.;
~de1D.tmp;C:\;Trojan.DownLoader.19578;Deleted.;
AutoUp.exe;C:\WINDOWS;Adware.DealHelper;;
IFinst25.exe;C:\WINDOWS;BackDoor.Ifinst;Deleted.;
ymyucl.dll;C:\WINDOWS\system32;Trojan.DownLoader.14131;Deleted.;
winCreate.exe;C:\WINDOWS\system32;Trojan.PWS.Lineage;Deleted.;
tiasprxm.exe;C:\WINDOWS\system32;Adware.SearchColours;Moved.;
dtwlyxhh.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
40c6ntos.dll;C:\WINDOWS\system32;Adware.Baidu;;
trtbc.dll;C:\WINDOWS\system32;Adware.Tencent;Will be moved after reboot.;
trtbc.dat;C:\WINDOWS\system32;Adware.Tencent;Moved.;
kbnaxp.dll;C:\WINDOWS\system32;Adware.Tencent;Will be moved after reboot.;
ndcia.sys;C:\WINDOWS\system32\drivers;Trojan.NtRootKit.226;Deleted.;
usrinit.dll;C:\WINDOWS\system32\drivers;Adware.Dmedia;;
adgugc.exe;C:\WINDOWS\Temp\adgugc;Trojan.DownLoader.19578;Deleted.;
adgugd.exe;C:\WINDOWS\Temp\adgugd;Trojan.DownLoader.19578;Deleted.;
usrinit.dll;C:\Documents and Settings\Gent\Local Settings\Temp;Adware.Dmedia;Moved.;
Gent.dat;C:\Documents and Settings\Gent\Local Settings\Temp;Adware.Tencent;Moved.;
usrinit[1].exe;C:\Documents and Settings\Gent\Local Settings\Temporary Internet Files\Content.IE5\M0P3481P;Trojan.DownLoader.19717;Deleted.;
rundll32.exe;C:\Program Files\Common Files;Trojan.PWS.Banker.6743;Deleted.;
Player.dll;C:\Program Files\Common Files\WANSO;Adware.Sogou;Moved.;
SoBar.dll;C:\Program Files\Common Files\WANSO;Adware.Sogou;Moved.;
backup-20061119-190502-707.dll;C:\Program Files\Hijack This\backups;Trojan.Juan;Deleted.;
backup-20070318-192523-841.dll;C:\Program Files\Hijack This\backups;Adware.Cdn;Moved.;
backup-20070320-022730-495.dll;C:\Program Files\Hijack This\backups;Adware.Baidu;Moved.;
GettysburgSetup-dm[1].exe;C:\Downloads;Adware.TryMedia;Moved.;
Civ3GoldSetup-dm[1].exe;C:\Downloads;Adware.TryMedia;Moved.;
CruiseTycoonSetup-dm[1].exe;C:\Downloads;Adware.TryMedia;Moved.;
ApprenticeSetup-dm[1].exe;C:\Downloads;Adware.TryMedia;Moved.;
Setup.exe;F:\Programs & Software\Adobe Photoshop CS2;Win32.HLLP.Feuh;Cured.;
keygen.exe;F:\Programs & Software\Adobe Photoshop CS2\PANTHEON;Win32.HLLP.Feuh;Cured.;
instmsiw.exe;F:\Programs & Software\Adobe® Photoshop® CS2;Win32.HLLP.Feuh;Cured.;
setup.exe;F:\Programs & Software\Adobe® Photoshop® CS2;Win32.HLLP.Feuh;Cured.;
setup64.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT;Win32.HLLP.Feuh;Cured.;
PLU250.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT\Program Files\Common F;Win32.HLLP.Feuh;Cured.;
MSO7FTP.EXE;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT\Program Files\Common F;Win32.HLLP.Feuh;Cured.;
AdMigrator.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT\Program Files\Root;Win32.HLLP.Feuh;Cured.;
AdSGDeploy.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT\Support\CADManager\Pro;Win32.HLLP.Feuh;Cured.;
instmsi.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT\Support\nlm\Msi\9x;Win32.HLLP.Feuh;Cured.;
ARCHDESK2005NLA.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT\Support\NSA;Win32.HLLP.Feuh;Cured.;
setup.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT;Win32.HLLP.Feuh;Cured.;
instmsi.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Msi\9x;Win32.HLLP.Feuh;Cured.;
AcHelp.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Program Fil;Win32.HLLP.Feuh;Cured.;
PLU250.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Program Fil;Win32.HLLP.Feuh;Cured.;
MSOICONS.EXE;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Program Fil;Win32.HLLP.Feuh;Cured.;
addplwiz.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Program Fil;Win32.HLLP.Feuh;Cured.;
sfxfe32.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Program Fil;Win32.HLLP.Feuh;Cured.;
flashplayer7_winax.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Program Fil;Win32.HLLP.Feuh;Cured.;
Deploy.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Support;Win32.HLLP.Feuh;Cured.;
CMControl.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Support\CAD;Win32.HLLP.Feuh;Cured.;
instmsi.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Support\Exp;Win32.HLLP.Feuh;Cured.;
instmsi.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Support\Exp;Win32.HLLP.Feuh;Cured.;
lspsurf.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Support\Exp;Win32.HLLP.Feuh;Cured.;
flashplayer7_winax.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Support\fla;Win32.HLLP.Feuh;Cured.;
instmsi.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Support\nlm;Win32.HLLP.Feuh;Cured.;
setup.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Support\NSA;Win32.HLLP.Feuh;Cured.;
pl534caden.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Windows Sys;Win32.HLLP.Feuh;Cured.;
pl243caden.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\ADT\Windows Sys;Win32.HLLP.Feuh;Cured.;
WriteRunonceKey.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\Bin;Win32.HLLP.Feuh;Cured.;
keygen1.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Autodesk Architectural Desktop 2005\ADT - FULL\keygen;Win32.HLLP.Feuh;Cured.;
demo32.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin;Win32.HLLP.Feuh;Cured.;
setup.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui;Win32.HLLP.Feuh;Cured.;
instmsi.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Msi\9x;Win32.HLLP.Feuh;Cured.;
AdRefMan.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Program Files\AutoCAD 2005;Win32.HLLP.Feuh;Cured.;
flashplayer7_winax.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Program Files\AutoCAD 2005\Support;Win32.HLLP.Feuh;Cured.;
PLU250.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Program Files\Common Files\Autodesk Shared;Win32.HLLP.Feuh;Cured.;
MSO7FTP.EXE;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Program Files\Common Files\Microsoft Shared\Offic;Win32.HLLP.Feuh;Cured.;
ExpressViewerSetup.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Support\aev;Win32.HLLP.Feuh;Cured.;
AdSGDeploy.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Support\CADManager\Program Files\Autodesk\CAD Man;Win32.HLLP.Feuh;Cured.;
CMControl.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Support\CADManager\Program Files\Autodesk\CAD Man;Win32.HLLP.Feuh;Cured.;
setup.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Support\Express;Win32.HLLP.Feuh;Cured.;
instmsi.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Support\Express\Msi\NT;Win32.HLLP.Feuh;Cured.;
ie6setup.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Support\MSIE;Win32.HLLP.Feuh;Cured.;
setup.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Support\nlm;Win32.HLLP.Feuh;Cured.;
setup.exe;F:\Programs & Software\AutoCAD 2005 & Architectural Desktop 2005\Bin\ACADFeui\Support\NSA;Win32.HLLP.Feuh;Cured.;
Demonstrator.exe;F:\Programs & Software\Demonstrator;Win32.HLLP.Feuh;Cured.;
autorun.exe;F:\Programs & Software\Macromedia Studio MX;Win32.HLLP.Feuh;Cured.;
ColdFusion MX Installer.exe;F:\Programs & Software\Macromedia Studio MX\ColdFusion MX;Win32.HLLP.Feuh;Cured.;
Extension Manager Installer.exe;F:\Programs & Software\Macromedia Studio MX\Copy of Extension Manager;Win32.HLLP.Feuh;Cured.;
Dreamweaver MX Installer.exe;F:\Programs & Software\Macromedia Studio MX\Dreamweaver MX;Win32.HLLP.Feuh;Cured.;
Extension Manager Installer.exe;F:\Programs & Software\Macromedia Studio MX\Extension Manager;Win32.HLLP.Feuh;Cured.;
KEYGEN.EXE;F:\Programs & Software\Norton Systemworks 05;Win32.HLLP.Feuh;Cured.;
NCDSTART.EXE;F:\Programs & Software\Norton Systemworks 05;Win32.HLLP.Feuh;Cured.;
NSWSETUP.EXE;F:\Programs & Software\Norton Systemworks 05;Win32.HLLP.Feuh;Cured.;
QDCSFS.EXE;F:\Programs & Software\Norton Systemworks 05\FASTSAFEW;Win32.HLLP.Feuh;Cured.;
SMNLNCH.EXE;F:\Programs & Software\Norton Systemworks 05\NAV\EXTERNAL\COMMONFI\SYMSHARE;Win32.HLLP.Feuh;Cured.;
CCIMSCN.EXE;F:\Programs & Software\Norton Systemworks 05\NAV\EXTERNAL\NORTON\APP;Win32.HLLP.Feuh;Cured.;
OPSCAN.EXE;F:\Programs & Software\Norton Systemworks 05\NAV\EXTERNAL\NORTON\APP;Win32.HLLP.Feuh;Cured.;
NPMSETUP.EXE;F:\Programs & Software\Norton Systemworks 05\NPM;Win32.HLLP.Feuh;Cured.;
INSTMSIW.EXE;F:\Programs & Software\Norton Systemworks 05\NPM\SUPPORT\MSI;Win32.HLLP.Feuh;Cured.;
SYMLNCH.EXE;F:\Programs & Software\Norton Systemworks 05\NPM\SUPPORT\SYMLNCH;Win32.HLLP.Feuh;Cured.;
WINDOC.EXE;F:\Programs & Software\Norton Systemworks 05\NU;Win32.HLLP.Feuh;Cured.;
WIPEINFO.EXE;F:\Programs & Software\Norton Systemworks 05\NU;Win32.HLLP.Feuh;Cured.;
CCPWDSVC.EXE;F:\Programs & Software\Norton Systemworks 05\SUPPORT\CCCOMMON\CCCOMMON;Win32.HLLP.Feuh;Cured.;
NMAIN.EXE;F:\Programs & Software\Norton Systemworks 05\SUPPORT\CCCOMMON\CCCOMMON;Win32.HLLP.Feuh;Cured.;
NED.EXE;F:\Programs & Software\Norton Systemworks 05\SUPPORT\EDISK;Win32.HLLP.Feuh;Cured.;
IRALRSHL.EXE;F:\Programs & Software\Norton Systemworks 05\SUPPORT\LIVEREG;Win32.HLLP.Feuh;Cured.;
INSTMSIA.EXE;F:\Programs & Software\Norton Systemworks 05\SUPPORT\MSI;Win32.HLLP.Feuh;Cured.;
FXGAOUJ.EXE;F:\Programs & Software\Norton Systemworks 05\SUPPORT\NAVTOOLS\REPAIR\GAOBOTUJ;Win32.HLLP.Feuh;Cured.;
SYMLNCH.EXE;F:\Programs & Software\Norton Systemworks 05\SUPPORT\SYMLNCH;Win32.HLLP.Feuh;Cured.;
WINTDIST.EXE;F:\Programs & Software\Norton Systemworks 05\SUPPORT\WINTDIST;Win32.HLLP.Feuh;Cured.;
Aqua_Dock.exe;F:\Programs & Software\ObjectDock\Mac Icons;Win32.HLLP.Feuh;Cured.;
YzShadow.exe;F:\Programs & Software\ObjectDock\Mac Icons\MIMIC II Panther\Yzshadow;Win32.HLLP.Feuh;Cured.;
Loader.exe;F:\Programs & Software\Spy sweeper 3.5.0.194 + Crack;Win32.HLLP.Feuh;Cured.;
Loader.exe;F:\Programs & Software\Spy sweeper 3.5.0.194 + Crack;Trojan.DownLoader.9586;Incurable.Moved.;
wfaxaut.exe;F:\Programs & Software\WinFax Pro 10;Win32.HLLP.Feuh;Cured.;
40COMUPD.EXE;F:\Programs & Software\WinFax Pro 10\ADMIN;Win32.HLLP.Feuh;Cured.;
DCOM95.EXE;F:\Programs & Software\WinFax Pro 10\ADMIN;Win32.HLLP.Feuh;Cured.;
LUSETUP.EXE;F:\Programs & Software\WinFax Pro 10\SUPPORT\LUPDATE;Win32.HLLP.Feuh;Cured.;
WFXMACRO.EXE;F:\Programs & Software\WinFax Pro 10\WINFAX;Win32.HLLP.Feuh;Cured.;
WTNUHOOK.EXE;F:\Programs & Software\WinFax Pro 10\WINFAX;Win32.HLLP.Feuh;Cured.;
WZSEPE32.EXE;F:\WinZip;Win32.HLLP.Feuh;Cured.;


Logfile of HijackThis v1.99.1
Scan saved at 7:48:54 PM, on 21/03/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Gent\Desktop\drweb-cureit.exe
C:\DOCUME~1\Gent\LOCALS~1\Temp\RarSFX0\_start.exe
C:\DOCUME~1\Gent\LOCALS~1\Temp\RarSFX0\cureit.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sgicanada.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54a6dbbc-15b2-4ac5-8b0d-4e03f37a8dbf} - C:\WINDOWS\System32\4ac5cfsb.dll (file missing)
O2 - BHO: URLDetector Class - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WindowBlinds] C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbload.exe auto
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [tjgcfdl] C:\WINDOWS\System32\wins\tjgcfdl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Ylm] C:\Program Files\Common Files\W?nSxS\l?gonui.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ruango.lnk = ?
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: yghflk.lnk = C:\WINDOWS\system32\mui\yghflkj.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://vanmappub.vancouver.ca/download/mgaxctrl.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: tuvuv - C:\WINDOWS\
O23 - Service: Abieliok - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GBPoll - Unknown owner - C:\Program Files\Roxio\GoBack\GBPoll.exe (file missing)
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\ICDSPTSV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax PRO (wfxsvc) - Unknown owner - C:\WINDOWS\System32\WFXSVC.EXE (file missing)


Oh yeah and blast me if you want for using keygens and pirated programs but I only use it for personal reasons and I am in no way a commercial person who illegally sells or distribute these softwares- in fact I despise it. :flowers: I'm just a poor guy who will buy genuine software when I've got the money. For now, I stick with what I have. But I hope this is the end of it. If the Dr.Web isn't to end the way I mentioned it, then please let me know. (!! I just noticed that there is another pop-up :huh: )Thanks alot for your help and assistance! :thumbsup:

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 22 March 2007 - 05:58 AM

Click on Start/Run,type CMD then press Enter.
At the Command Prompt copy and paste:
SC STOP Abieliok
Then press Enter.
At the Command Prompt again copy and paste:
SC DELETE Abieliok
Then press Enter.
Type EXIT then press Enter.

********************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {54a6dbbc-15b2-4ac5-8b0d-4e03f37a8dbf} - C:\WINDOWS\System32\4ac5cfsb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [tjgcfdl] C:\WINDOWS\System32\wins\tjgcfdl.exe
O4 - HKCU\..\Run: [Ylm] C:\Program Files\Common Files\W?nSxS\l?gonui.exe
O4 - Global Startup: yghflk.lnk = C:\WINDOWS\system32\mui\yghflkj.exe
O20 - Winlogon Notify: tuvuv - C:\WINDOWS\


Exit Hijackthis,find and delete if present:
C:\WINDOWS\System32\wins
C:\WINDOWS\system32\mui

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

******************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Post the AVG Anti Spyware report,the C:\ComboFix.txt,and a new Hijackthis log into your next reply.

Edited by RichieUK, 22 March 2007 - 05:59 AM.

Posted Image
Posted Image

#10 masterarchitect

masterarchitect
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 22 March 2007 - 11:46 AM

Hi, I have actually scanned with Dr. Web a second time and found some results not shown in the first scan. I will also post the results of your instructions after this reply.


trtbc.dll;C:\WINDOWS\system32;Adware.Tencent;Incurable.Moved.;
kbnaxp.dll;C:\WINDOWS\system32;Adware.Tencent;Incurable.Moved.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;Incurable.Moved.;

#11 masterarchitect

masterarchitect
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 22 March 2007 - 11:53 AM

Um... I cannot enter SC STOP Abieliok. The command prompt says that the specified service does not exist as an installed service. SC OpenService FAILED 1060. And I also cannot click on the downloads for AVG Anti-SpywareWhat do I do from here?

Edited by masterarchitect, 22 March 2007 - 12:01 PM.


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 22 March 2007 - 12:06 PM

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {54a6dbbc-15b2-4ac5-8b0d-4e03f37a8dbf} - C:\WINDOWS\System32\4ac5cfsb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [tjgcfdl] C:\WINDOWS\System32\wins\tjgcfdl.exe
O4 - HKCU\..\Run: [Ylm] C:\Program Files\Common Files\W?nSxS\l?gonui.exe
O4 - Global Startup: yghflk.lnk = C:\WINDOWS\system32\mui\yghflkj.exe
O20 - Winlogon Notify: tuvuv - C:\WINDOWS\
O23 - Service: Abieliok - - (no file)


Exit Hijackthis,find and delete if present:
C:\WINDOWS\System32\wins
C:\WINDOWS\system32\mui
Reboot normally.

******************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Post the C:\ComboFix.txt,and a new Hijackthis log into your next reply.

Edited by RichieUK, 22 March 2007 - 12:07 PM.

Posted Image
Posted Image

#13 masterarchitect

masterarchitect
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 22 March 2007 - 01:04 PM

On startup, AVG Anti-Spyware says that it detected Adware/Malware.Boran in the system. What should I do with that? Running ComboFix... will post both logs from ComboFix and HijackThis.

#14 masterarchitect

masterarchitect
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 22 March 2007 - 02:18 PM

Here is the ComboFix Report:

ComboFix 07-03-22.3 - Running from: "C:\Documents and Settings\Gent\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wbem\izpcl.dll
C:\Program Files\naqo\obrp.dll
C:\Program Files\ivlj\xnay.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\r1003.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\b1003.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\k1003.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\a1003.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\p1003.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\ad\send.lz
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\ad\d308314b\0001.exe
C:\Program Files\deepdo\DeepdoBar\Favorite\Favorite.dll
C:\Program Files\deepdo\DeepdoBar\Favorite\favorite.ini
C:\Program Files\deepdo\DeepdoBar\Favorite\Update.exe
C:\Program Files\deepdo\DeepdoBar\Favorite\Update.ini
C:\WINDOWS\system32\contenttemp\ADUploadFile\20070321195804zhaopin.swf
C:\WINDOWS\system32\contenttemp\ADUploadFile\20070321181609zhaopin.swf
C:\DOCUME~1\ALLUSE~1\TEMPLA~1.\temp.exe
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\iexp_log.txt
C:\WINDOWS\system32\score.txt
C:\WINDOWS\system32\toolset.ini
C:\WINDOWS\system32\unibar.exe
C:\WINDOWS\system32\wbem\ocmor.dll
C:\WINDOWS\system32\drivers\romman.sys
C:\WINDOWS\system32\drivers\i82440bx.sys
C:\WINDOWS\config\starter\config.htm
C:\WINDOWS\system32\usrinit.ini
C:\WINDOWS\system32\msrundll.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td
C:\Program Files\Common Files\wanso
C:\Program Files\deepdo
C:\WINDOWS\system32\contenttemp
C:\WINDOWS\system32\contenttemp\438.html
C:\WINDOWS\system32\contenttemp\437.html
C:\~de*.tmp
C:\Program Files\ivlj\vlyw.dll
C:\Program Files\ivlj\aqdb.dll
C:\Program Files\Common Files\Ruango\Player.dll
C:\Program Files\Common Files\Ruango\Tmp6.tmp
C:\Program Files\Common Files\Ruango\Tmp7.tmp
C:\Program Files\Common Files\Ruango\Tmp8.tmp
C:\WINDOWS\system32\drivers\fkwld.sys
C:\WINDOWS\system32\usrinit.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\ruango.lnk
C:\Program Files\Common Files\Ruango
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\Program Files\Common Files\WNSXS~1
C:\qoobox\purity\DOCUME~1\Gent
C:\qoobox\purity\DOCUME~1\Gent\APPLIC~1
C:\qoobox\purity\DOCUME~1\Gent\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\Gent\APPLIC~1\YMANTE~1
C:\qoobox\purity\DOCUME~1\Gent\APPLIC~1\YMANTE~1\?ymantec


((((((((((((((((((((((((((((((( Files Created from 2007-02-22 to 2007-03-22 ))))))))))))))))))))))))))))))))))


2007-03-22 10:51 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-03-22 10:51 <DIR> d-------- C:\WINDOWS\system32\mui
2007-03-22 10:09 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-21 12:13 <DIR> d-------- C:\DOCUME~1\Gent\DoctorWeb
2007-03-21 01:48 <DIR> d-------- C:\Program Files\iesnap
2007-03-20 19:16 <DIR> d-------- C:\VundoFix Backups
2007-03-20 02:09 <DIR> d-------- C:\Program Files\naqo
2007-03-20 01:47 <DIR> d-------- C:\Program Files\ivlj\kxnl
2007-03-20 01:02 <DIR> d-------- C:\Program Files\ivlj\fvig
2007-03-20 00:57 <DIR> d-------- C:\Program Files\ivlj\lyom
2007-03-20 00:52 <DIR> d-------- C:\Program Files\ivlj\dtge
2007-03-20 00:52 <DIR> d-------- C:\Program Files\ivlj
2007-03-19 23:55 10,880 --a------ C:\WINDOWS\system32\drivers\stdio.sys
2007-03-19 20:13 <DIR> d-------- C:\Program Files\Common Files\hyhnochs
2007-03-19 20:13 <DIR> d-------- C:\Program Files\Common Files\cccgpsm
2007-03-19 20:13 <DIR> d-------- C:\Program Files\Common Files\agwu
2007-03-19 20:01 <DIR> d-------- C:\Program Files\Common Files\okuezub
2007-03-19 18:44 <DIR> d-------- C:\Program Files\Common Files\ivlj
2007-03-19 18:43 280,576 --a------ C:\WINDOWS\system32\lsanp.dll
2007-03-19 18:43 134,144 --a------ C:\WINDOWS\regdu.exe
2007-03-19 01:23 <DIR> d--hs---- C:\FOUND.000
2007-03-18 21:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zenturi
2007-03-18 20:38 <DIR> d-------- C:\Program Files\Norton SystemWorks
2007-03-18 20:22 <DIR> d-------- C:\Program Files\SymNetDrv
2007-03-18 20:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-03-18 18:06 134,144 --a------ C:\WINDOWS\regbin.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-22 10:26 7467 --a------ C:\DOCUME~1\Gent\APPLIC~1\.googlewebacchosts
2007-01-28 18:34 139 --a------ C:\DelUS.bat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Motive SmartBridge"="C:\\PROGRA~1\\TELUSE~1\\SMARTB~1\\MotiveSB.exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"MessengerPlus3"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus1.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"PPHIDPAD"="C:\\WINPENJR\\Win32\\pphidpad.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WindowBlinds"="C:\\PROGRA~1\\STARDOCK\\OBJECT~1\\WINDOW~1\\wbload.exe auto"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"tdelici"="C:\\Program Files\\InterVideo\\tdelici.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{623D33B3-1E70-4705-88E9-649522AF6268}"="KC Project Notify"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6809e580-a3a7-11d1-9a00-00a0c945b006}"="GoBack Shell Extension"
"{6F4747B0-4094-4200-A251-866989504B17}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"usrinit"="C:\\WINDOWS\\system32\\usrinit.exe"
"adsnt"="C:\\WINDOWS\\AdsNT.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\stdio

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
bkuetub
yktpdr
Navoct



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Gent.job
C:\WINDOWS\tasks\NgPqUFdbUnrexjfjhZHjtMBPBlZDGF.job
C:\WINDOWS\tasks\soZeEZZzYVs.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-22 11:38:08


>>HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 12:15:10 PM, on 22/03/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Maximizer\MxFinder.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\npp\zfklkjk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\iesnap\navplay.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sgicanada.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: URLDetector Class - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WindowBlinds] C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbload.exe auto
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [tdelici] C:\Program Files\InterVideo\tdelici.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://vanmappub.vancouver.ca/download/mgaxctrl.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Abieliok - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GBPoll - Unknown owner - C:\Program Files\Roxio\GoBack\GBPoll.exe (file missing)
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\ICDSPTSV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax PRO (wfxsvc) - Unknown owner - C:\WINDOWS\System32\WFXSVC.EXE (file missing)



>> I just noticed that Abieliok is still listed in HijackThis under "O23 - Service: Abieliok - - (no file)". Do I have to do anything with that? Thanks!

EDIT: Is zfklkjk.exe a malicious program? I noticed that it is running in Task Manager. Thanks.

Edited by masterarchitect, 22 March 2007 - 02:34 PM.


#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 22 March 2007 - 04:10 PM

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Abieliok
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

Click Start>Run and type regedit then click OK.
Navigate to HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Scroll down the left pane,locate the service name:
Abieliok
Right click on it 'Delete'.
Exit regedit.

***************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete if present:
C:\WINDOWS\regbin.exe
C:\WINDOWS\regdu.exe
C:\WINDOWS\System32\npp\zfklkjk.exe
C:\WINDOWS\system32\lsanp.dll
C:\WINDOWS\system32\mui
C:\Program Files\ivlj
C:\Program Files\naqo
C:\Program Files\Common Files\hyhnochs
C:\Program Files\Common Files\cccgpsm
C:\Program Files\Common Files\agwu
C:\Program Files\Common Files\okuezub
C:\Program Files\Common Files\ivlj
C:\WINDOWS\tasks\NgPqUFdbUnrexjfjhZHjtMBPBlZDGF.job
C:\WINDOWS\tasks\soZeEZZzYVs.job

Reboot normally.

***************************

Download 'e Scan MWAV' from here to your desktop:
http://www.mwti.net/download/tools/mwav.exe
Disconnect from the internet.
Double click on the mwav icon on your desktop.
The program will start,the Licence Agreement will pop up.
Select 'I accept the agreement',then press Ok.
The program will open,leave all the settings as they are.
Now press the 'Scan & Clean' button.
The program will now start scanning your pc.
Once the scan has finished,exit MWAV.

Reboot,post a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users