Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Fake Shareware Pop-ups


  • This topic is locked This topic is locked
14 replies to this topic

#1 Nat Sci

Nat Sci

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 03 April 2007 - 04:04 PM

I don't know if anyone remembers me. I was getting help on my HJT log and a lost internet for a while. After finally getting it back I used the computer as regularly for a few months and next thing I know, pop-ups which want me to install their program. Thank you for any help. And sorry to the last person trying to help me with my pop-ups.

Logfile of HijackThis v1.99.1
Scan saved at 4:58:39 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\HP_Owner\My Documents\HiJack\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2b339c4b-a5a8-43da-b463-a735758201b6} - C:\WINDOWS\system32\icmdec.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp1.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\efdedb.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: icmdec - C:\WINDOWS\SYSTEM32\icmdec.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Legend has it that... If you put an AOL disc the opposite way and play it you can hear devilish music... Even worse if you put it the right way... IT INSTALLS AOL!
Click here 3 times for $100,000<--- I mean .00001 dollars.

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 04 April 2007 - 07:05 AM

Hello there, my name is Charles and I will be dealing with your log today.
Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Nat Sci

Nat Sci
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 04 April 2007 - 04:37 PM

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 5:33:46 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\HP_Owner\My Documents\HiJack\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2b339c4b-a5a8-43da-b463-a735758201b6} - C:\WINDOWS\system32\icmdec.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\efdedb.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: icmdec - C:\WINDOWS\SYSTEM32\icmdec.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe








Vundo:
VundoFix V6.1.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 5:40:24 PM 9/26/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\winptc32.dll
C:\WINDOWS\system32\yayayab.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkhhg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\winptc32.dll
C:\WINDOWS\system32\winptc32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayayab.dll
C:\WINDOWS\system32\yayayab.dll Has been deleted!

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll Could not be deleted.

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 6:04:11 PM 9/26/2006

Listing files found while scanning....


VundoFix V6.1.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 4:38:33 PM 9/30/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkhhg.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkhhg.dll Has been deleted!

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll Has been deleted!

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 8:27:03 PM 10/2/2006

Listing files found while scanning....


VundoFix V6.2.0

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 7:28:56 PM 10/5/2006

Listing files found while scanning....

C:\WINDOWS\system32\ixdoufhv.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\uwnlwknn.dll
C:\WINDOWS\system32\winptc32.dll
C:\WINDOWS\system32\yayayab.dll
C:\WINDOWS\system32\swymrqcm.exe
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ixdoufhv.dll
C:\WINDOWS\system32\ixdoufhv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkhhg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\uwnlwknn.dll
C:\WINDOWS\system32\uwnlwknn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winptc32.dll
C:\WINDOWS\system32\winptc32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayayab.dll
C:\WINDOWS\system32\yayayab.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\swymrqcm.exe
C:\WINDOWS\system32\swymrqcm.exe Has been deleted!

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll Could not be deleted.

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll Has been deleted!

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.0

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 9:49:51 AM 12/27/2006

Listing files found while scanning....


VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 5:16:50 PM 4/4/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp1.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp1.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!
Legend has it that... If you put an AOL disc the opposite way and play it you can hear devilish music... Even worse if you put it the right way... IT INSTALLS AOL!
Click here 3 times for $100,000<--- I mean .00001 dollars.

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 04 April 2007 - 05:23 PM

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right click inside the listbox (white box) and click "Add More Files"
Copy and paste the entries below into the top boxes (no arrows):

--> C:\WINDOWS\SYSTEM32\icmdec.dll

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your Desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Nat Sci

Nat Sci
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 04 April 2007 - 07:36 PM

Vundo:

VundoFix V6.1.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 5:40:24 PM 9/26/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\winptc32.dll
C:\WINDOWS\system32\yayayab.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkhhg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\winptc32.dll
C:\WINDOWS\system32\winptc32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayayab.dll
C:\WINDOWS\system32\yayayab.dll Has been deleted!

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll Could not be deleted.

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 6:04:11 PM 9/26/2006

Listing files found while scanning....


VundoFix V6.1.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 4:38:33 PM 9/30/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkhhg.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkhhg.dll Has been deleted!

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll Has been deleted!

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 8:27:03 PM 10/2/2006

Listing files found while scanning....


VundoFix V6.2.0

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 7:28:56 PM 10/5/2006

Listing files found while scanning....

C:\WINDOWS\system32\ixdoufhv.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\uwnlwknn.dll
C:\WINDOWS\system32\winptc32.dll
C:\WINDOWS\system32\yayayab.dll
C:\WINDOWS\system32\swymrqcm.exe
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ixdoufhv.dll
C:\WINDOWS\system32\ixdoufhv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkhhg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\uwnlwknn.dll
C:\WINDOWS\system32\uwnlwknn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winptc32.dll
C:\WINDOWS\system32\winptc32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayayab.dll
C:\WINDOWS\system32\yayayab.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\swymrqcm.exe
C:\WINDOWS\system32\swymrqcm.exe Has been deleted!

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll Could not be deleted.

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\services.dll Has been deleted!

Attempting to delete C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.0

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 9:49:51 AM 12/27/2006

Listing files found while scanning....


VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 5:16:50 PM 4/4/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp1.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp1.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\icmdec.dll
C:\WINDOWS\SYSTEM32\icmdec.dll Has been deleted!

Performing Repairs to the registry.
Done!







HJT:
Logfile of HijackThis v1.99.1
Scan saved at 8:34:08 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\My Documents\HiJack\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2b339c4b-a5a8-43da-b463-a735758201b6} - C:\WINDOWS\system32\icmdec.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\efdedb.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Legend has it that... If you put an AOL disc the opposite way and play it you can hear devilish music... Even worse if you put it the right way... IT INSTALLS AOL!
Click here 3 times for $100,000<--- I mean .00001 dollars.

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 05 April 2007 - 02:50 AM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6). Please update and remove the older versions. Do the following:
Go to Start | Control Panel | Add/Remove Programs
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
Then download and install the newest version from here:
Java Runtime Environment (JRE) 6

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {2b339c4b-a5a8-43da-b463-a735758201b6} - C:\WINDOWS\system32\icmdec.dll (file missing)
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\efdedb.dll",setvm
O20 - AppInit_DLLs:


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following folder (if present):

C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}

And the following files:

C:\WINDOWS\efdedb.dll
C:\WINDOWS\system32\lsasss.exe <--make sure you delete the right file ... there is a legitimate one with a very similar name!

Let's clean out your temporary internet files:
Close all open windows before we start.
Go to Start | Control Panel | Internet Options | General.
Click the Delete Cookies button.
Next to it, click the Delete Files button.
When prompted, place a check in: 'Delete all offline content', click OK

If you have Firefox installed, we need to clean out these temporary files as well:
Go to Tools | Options.
Click Privacy.
Press the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to finish, before closing it.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Now we'll clean other temporary files and your Recycle Bin:
Go to Start | Run | type: cleanmgr | OK.
Let it scan your system for files to remove.
Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.
Press OK to remove them.

Reboot into Normal Mode again.

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

Please include the Panda results along with a new HijackThis log in your next reply.
Thanks,
Charles

Edited by rookie147, 05 April 2007 - 02:52 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 Nat Sci

Nat Sci
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 07 April 2007 - 02:02 PM

The pop-ups have gotten worse and I'm having problems doing a panda scan because of them... I finished everything else you said except the Java part too, because everythings running too slow... I got even more pop-ups than before.

Logfile of HijackThis v1.99.1
Scan saved at 2:57:22 PM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Common Files\{74D31DD3-07CF-1033-0902-040804030001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Documents and Settings\HP_Owner\My Documents\HiJack\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2b339c4b-a5a8-43da-b463-a735758201b6} - C:\WINDOWS\system32\igfage.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} - C:\WINDOWS\system32\yayxvtr.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D31~1\Bar888.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D31~1\Bar888.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: igfage - C:\WINDOWS\SYSTEM32\igfage.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: yayxvtr - C:\WINDOWS\SYSTEM32\yayxvtr.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000501 (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Legend has it that... If you put an AOL disc the opposite way and play it you can hear devilish music... Even worse if you put it the right way... IT INSTALLS AOL!
Click here 3 times for $100,000<--- I mean .00001 dollars.

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 07 April 2007 - 02:48 PM

Hello there,
The infections we keep removing seem to be coming back, so I'd like you to run a few scans so we can try to get an idea as to why this is happening. With regard to the fact that you were receiving so many pop-ups you could not update Java, whilst I understand that this can be quite irritating, it is crucial that we get your Java updated as soon as possible. The Vundo infection that you have at the moment is known to exploit out-of-date versions of Java, so the quicker we get updated, the less likelihood there is of the infections resurfacing.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Please download ATF Cleaner and Combofix to your Desktop.
Don't run either of them yet.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Reboot back into Normal Mode again. Follow my previous instructions and update Java.

Download F-Secure Blacklight and save it to your Desktop.
Double click on blbeta.exe to start the program.
Accept the user agreement and click Next.
Click Scan. You will then see a list of all the items found.
Do not choose to rename any yet! I want to see the log first because legitimate items can also be present.
BlackLight will have created a log on your Desktop named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
Post that log in your next reply.

Click here to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Copy and paste the contents of the AWF.txt file in your next reply.

In your next post, please include a new HijackThis log, the Blacklight report and the ComboFix results. Also post the FindAWF log.
Thanks,
Charles

Edited by rookie147, 07 April 2007 - 03:24 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 Nat Sci

Nat Sci
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 07 April 2007 - 10:43 PM

Ok, I got to the part until I should download Black Light. The link you gave is invalid. And I was unsure if I should've continued so I'll just wait til you next instructions.
Legend has it that... If you put an AOL disc the opposite way and play it you can hear devilish music... Even worse if you put it the right way... IT INSTALLS AOL!
Click here 3 times for $100,000<--- I mean .00001 dollars.

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 08 April 2007 - 04:26 AM

Thanks for pointing that out to me, I didn't realise it wouldn't work anymore. Use this link instead.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 Nat Sci

Nat Sci
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 09 April 2007 - 09:55 PM

AWF:

Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ARES\BAK

05/03/2006 11:39 AM 1,212,928 Ares.exe
1 File(s) 1,212,928 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

07/29/2006 08:34 PM 5,354,792 MsnMsgr.Exe
1 File(s) 5,354,792 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 11:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 08:00 AM 15,360 ctfmon.exe
08/21/2004 01:55 AM 155,648 igfxtray.exe
10/16/2002 07:57 PM 81,920 ps2.exe
3 File(s) 252,928 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/15/2004 12:54 AM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\WILDTA~1\APPS\BAK

12/03/2002 08:24 PM 184,800 GameChannel.exe
1 File(s) 184,800 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/09/2006 05:16 PM 185,784 realsched.exe
1 File(s) 185,784 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\BAK

12/15/2006 04:23 AM 75,520 jusched.exe
1 File(s) 75,520 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

03/14/2007 03:43 AM 83,608 jusched.exe
1 File(s) 83,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report



ComboFix:
"HP_Owner" - 07-04-07 16:07:25 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\HP_Owner\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dlh9jkd1q1.exe
C:\WINDOWS\system32\dlh9jkd1q2.exe
C:\WINDOWS\system32\dlh9jkd1q5.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\qvx5gamet2.exe
C:\WINDOWS\system32\qvxga6met3.exe
C:\WINDOWS\system32\qvxga7met4.exe
C:\WINDOWS\system32\vexg3am1et3.exe
C:\WINDOWS\system32\vexg4am1et2.exe
C:\WINDOWS\system32\vexg6ame4.exe
C:\WINDOWS\system32\vexga1me4t1.exe
C:\WINDOWS\system32\vexga3me2.exe
C:\WINDOWS\system32\vexga4m1et4.exe
C:\WINDOWS\system32\vexga4me1.exe
C:\WINDOWS\system32\vexga5me3.exe
C:\1.exe
C:\U.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\system32\max1d164v.exe
C:\WINDOWS\updater.exe
C:\WINDOWS\system32\ktkzfoo.dll
C:\WINDOWS\system32\tmp19.tmp.dll
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\bravesentry\BraveSentry.exe
C:\Program Files\bravesentry\BraveSentry.lic
C:\Program Files\bravesentry\BraveSentry0.bs
C:\Program Files\bravesentry\BraveSentry0.dll
C:\Program Files\bravesentry\BraveSentry1.bs
C:\Program Files\bravesentry\BraveSentry1.dll
C:\Program Files\bravesentry\BraveSentry2.dll
C:\Program Files\bravesentry\BraveSentry3.dll
C:\Program Files\bravesentry\Uninstall.exe
C:\Program Files\deluxecommunications\Dxc.exe
C:\Program Files\deluxecommunications\DxcBho.dll
C:\Program Files\deluxecommunications\DxcCore.dll
C:\Program Files\msconfigs\MSCONFIGS.EXE
C:\Program Files\video activex object\iesplugin.dll
C:\Program Files\video activex object\iesuninst.exe
C:\Program Files\video activex object\isadd.dll
C:\Program Files\video activex object\isamini.exe
C:\Program Files\video activex object\isamntr.exe
C:\Program Files\video activex object\isunst.exe
C:\Program Files\video activex object\ot.ico
C:\Program Files\video activex object\pmmnt.exe
C:\Program Files\video activex object\pmsnrr.exe
C:\Program Files\video activex object\pmunst.exe
C:\Program Files\video activex object\ts.ico
C:\Program Files\video activex object\uninst.exe
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\Program Files\newdotnet\newdotnet6_38.dll
C:\Program Files\newdotnet\readme.html
C:\Program Files\newdotnet\uninstall6_38.exe
C:\Program Files\Common Files\{34D31~1\Bar888.dll
C:\Program Files\Common Files\{34D31~1\UnInstall.exe
C:\Program Files\Common Files\{74D31~2\system.dll
C:\Program Files\Common Files\{74D31~2\Update.exe
C:\Program Files\Common Files\{74D31~1\Update.exe
C:\DOCUME~1\HP_Owner\APPLIC~1.\install.dat
C:\WINDOWS\system32\bkd.exe
C:\WINDOWS\system32\rpcc.exe
C:\WINDOWS\system32\rsvp32_2.dll
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\unsvchosts.exe
C:\WINDOWS\system32\vx.tll
C:\windows\xpupdate.exe
C:\WINDOWS\desktop.html
C:\WINDOWS\emdat.tm
C:\WINDOWS\emdat.tmp
C:\WINDOWS\pp.exe
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\via.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Program Files\bravesentry
C:\Program Files\deluxecommunications
C:\Program Files\inetget2
C:\Program Files\msconfigs
C:\Program Files\video activex object
C:\WINDOWS\system32\bund1
C:\Program Files\newdotnet
C:\Program Files\Common Files\{34D31~1
C:\Program Files\Common Files\{74D31~2
C:\Program Files\Common Files\{74D31~1
C:\WINDOWS\system32\lzx32.sys
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Documents and Settings\HP_Owner\Application Data\WNSXS~1
C:\qoobox\purity\Program Files\FNTS~1
C:\qoobox\purity\Program Files\Common Files\TSKS~1
C:\qoobox\purity\WINDOWS\MANTEC~1
C:\qoobox\purity\WINDOWS\STEM32~1
C:\qoobox\purity\WINDOWS\MANTEC~1\MANTEC~1
C:\qoobox\purity\WINDOWS\MANTEC~1\regedit.exe
C:\qoobox\purity\WINDOWS\MANTEC~1\MANTEC~1\ctxad-539.0000
C:\qoobox\purity\WINDOWS\MANTEC~1\MANTEC~1\ctxad-539.0001
C:\qoobox\purity\WINDOWS\MANTEC~1\MANTEC~1\ctxad-539.0002
C:\qoobox\purity\WINDOWS\MANTEC~1\MANTEC~1\ctxad-539.0003
C:\qoobox\purity\WINDOWS\MANTEC~1\MANTEC~1\ctxad-539.0004
C:\qoobox\purity\WINDOWS\MANTEC~1\MANTEC~1\ctxad-539.0005
C:\qoobox\purity\WINDOWS\MANTEC~1\MANTEC~1\ctxad-539.0006
C:\qoobox\purity\WINDOWS\system32\MBOLS~1
C:\qoobox\purity\WINDOWS\system32\MBOLS~1\services.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\Client IP-IPX
-------\LEGACY_CLIENT_IP-IPX


((((((((((((((((((((((((((((((( Files Created from 2007-03-07 to 2007-04-07 ))))))))))))))))))))))))))))))))))


2007-04-07 15:10 106,767 --a------ C:\WINDOWS\khgfgf.dll
2007-04-07 15:09 76,412 --a------ C:\WINDOWS\system32\srsnfbbq.dll
2007-04-07 15:09 48,708 --a------ C:\WINDOWS\system32\phwctqnc.dll
2007-04-07 15:09 1,216,701 ---hs---- C:\WINDOWS\system32\cccdd.bak1
2007-04-07 15:08 280,676 ---hs---- C:\WINDOWS\system32\ddccc.dll
2007-04-07 14:56 19,216 --a------ C:\WINDOWS\system32\igfage.dll
2007-04-07 14:53 96,895 --a------ C:\WINDOWS\system32\zup.exe.exe
2007-04-07 14:53 84,992 --a------ C:\WINDOWS\system32\mmn.exe.exe
2007-04-07 14:53 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-04-07 14:53 37,888 --a------ C:\WINDOWS\system32\pdp.exe.exe
2007-04-07 14:52 1,185,894 --a------ C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat
2007-04-07 14:51 96,768 --a------ C:\WINDOWS\system32\dxclib303562752.dll
2007-04-07 14:50 <DIR> d--h----- C:\Program Files\BHO Plugin
2007-04-07 14:50 <DIR> d-------- C:\temp\tn3
2007-04-07 14:49 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-07 14:49 <DIR> d-------- C:\Program Files\DeskAlerts
2007-04-07 14:48 93,509 --a------ C:\sstray.exe
2007-04-07 14:48 26,694 --a------ C:\WINDOWS\system32\yayxvtr.dll
2007-04-07 14:48 11,612 --a------ C:\svhost.exe
2007-04-07 14:43 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\WinRAR
2007-04-07 14:41 <DIR> d-------- C:\Program Files\AC Tool
2007-04-05 20:14 945,936 --a------ C:\WINDOWS\system32\msjava.dll
2007-04-05 20:14 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-04-05 20:14 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-04-05 20:14 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-04-05 20:14 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-04-05 20:14 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-04-05 20:14 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-04-05 20:14 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-04-05 20:14 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-04-05 20:14 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-04-05 20:14 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-04-05 20:14 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-04-05 20:14 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-04-05 20:14 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-04-05 20:14 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-04-05 20:14 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-04-05 18:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-30 15:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games
2007-03-28 13:14 <DIR> d-------- C:\Program Files\TibiaBot NG
2007-03-27 22:27 <DIR> d-------- C:\Program Files\Valve
2007-03-24 18:21 2,359,296 --a------ C:\DOCUME~1\HP_Owner\ntuser.dat
2007-03-23 23:25 <DIR> d-------- C:\WINDOWS\system32\bak
2007-03-23 23:20 <DIR> d-------- C:\Program Files\Trymedia
2007-03-23 23:20 <DIR> d-------- C:\GameRival
2007-03-23 17:42 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-03-22 17:48 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-03-21 19:56 <DIR> d-------- C:\DOCUME~1\HP_Owner\WINDOWS
2007-03-21 19:56 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Symantec
2007-03-21 19:56 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Sun
2007-03-21 19:56 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Sonic
2007-03-21 19:56 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\SampleView
2007-03-21 19:56 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Real
2007-03-21 19:56 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Apple Computer
2007-03-21 19:53 21,060 --------- C:\WINDOWS\system32\drivers\iviaspi.sys
2007-03-21 19:39 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-03-21 19:39 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-03-21 19:39 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-03-21 19:38 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-03-21 19:38 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-03-21 19:38 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-03-21 18:53 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2007-03-21 18:03 <DIR> dr-hs---- C:\cmdcons
2007-03-21 18:02 <DIR> d-------- C:\WINDOWS\setupupd
2007-03-21 17:58 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-03-21 14:17 16,896 --a------ C:\WINDOWS\rundll.exe
2007-03-21 08:53 340,936 --a------ C:\WINDOWS\funnies.exe
2007-03-21 00:02 <DIR> d-------- C:\Program Files\SpyLocked
2007-03-21 00:00 445,440 --a------ C:\wmplayer.dll
2007-03-21 00:00 16,896 --a------ C:\DOCUME~1\HP_Owner\ie_updater.exe
2007-03-20 23:16 105,656 --a------ C:\WINDOWS\iifffe.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-07 14:49 -------- d-------- C:\Program Files\quicktime
2007-04-07 14:49 -------- d-------- C:\Program Files\msn messenger
2007-04-07 14:49 -------- d-------- C:\Program Files\itunes
2007-04-07 14:47 37264 --a------ C:\WINDOWS\system32\ps2.exe
2007-04-07 14:47 37264 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-04-07 14:47 37264 --a------ C:\WINDOWS\system32\ctfmon.exe
2007-04-07 14:14 -------- d-------- C:\Program Files\gamespy arcade
2007-04-07 14:13 -------- d-------- C:\Program Files\swiftswitch
2007-04-06 11:34 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\wsinspector
2007-04-06 10:09 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\limewire
2007-04-05 20:37 28400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-04-05 20:02 -------- d-------- C:\Program Files\java
2007-04-03 17:10 -------- d-------- C:\Program Files\intervideo
2007-03-30 15:32 -------- d-------- C:\Program Files\msn games
2007-03-28 18:12 540 --a------ C:\WINDOWS\ereg.dat
2007-03-27 22:27 -------- d--h----- C:\Program Files\installshield installation information
2007-03-27 15:00 -------- d-------- C:\Program Files\ares
2007-03-27 00:48 -------- d-------- C:\Program Files\messenger
2007-03-22 14:33 -------- d-------- C:\Program Files\apple software update
2007-03-21 19:50 -------- d-------- C:\Program Files\Common Files\surething shared
2007-03-21 19:12 -------- d-------- C:\Program Files\windows nt
2007-03-21 19:12 -------- d-------- C:\Program Files\movie maker
2007-03-21 18:10 -------- d-------- C:\Program Files\startup inspector for windows
2007-03-21 18:08 3645 --a------ C:\WINDOWS\viassary-hp.reg
2007-03-21 18:08 -------- d-------- C:\Program Files\easy internet signup
2007-03-21 18:03 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-16 15:44 -------- d-------- C:\Program Files\divx
2007-03-01 19:57 -------- d-------- C:\Program Files\knightonline
2007-03-01 00:22 -------- d--h----- C:\DOCUME~1\HP_Owner\APPLIC~1\ijji
2007-02-17 22:11 -------- d-------- C:\Program Files\tibia
2007-02-16 19:12 93736 --a------ C:\WINDOWS\ttc.exe
2007-02-16 15:23 -------- d-------- C:\Program Files\p2pnet~1
2007-02-11 17:58 -------- d-------- C:\Program Files\insanitydm
2007-01-31 00:24 1070 --a------ C:\DOCUME~1\HP_Owner\APPLIC~1\wklnhst.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"WT GameChannel"="C:\\Program Files\\WildTangent\\Apps\\GameChannel.exe"
"BootService"="rundll32.exe \"C:\\WINDOWS\\khgfgf.dll\",realset"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9697716-61E6-4FBC-89FD-EAC504D9EFE3}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfage
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxvtr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - HP_Owner.job
C:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-07 16:37:49
C:\ComboFix-quarantined-files.txt ... 07-04-07 16:37
C:\ComboFix2.txt ... 07-02-03 23:41
C:\ComboFix3.txt ... 06-11-01 20:16



BlackLight:
04/08/07 18:47:02 [Info]: BlackLight Engine 1.0.61 initialized
04/08/07 18:47:02 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/08/07 18:47:03 [Note]: 7019 4
04/08/07 18:47:03 [Note]: 7005 0
04/08/07 18:47:10 [Note]: 7006 0
04/08/07 18:47:11 [Note]: 7011 1420
04/08/07 18:47:11 [Note]: 7026 0
04/08/07 18:47:12 [Note]: 7026 0
04/08/07 18:47:49 [Note]: FSRAW library version 1.7.1021
04/08/07 18:54:13 [Note]: 4013 177800
04/08/07 18:54:13 [Note]: 4020 5577 851968
04/08/07 18:54:13 [Note]: 4018 5577 851968
04/08/07 18:54:13 [Note]: 4013 177791
04/08/07 18:54:13 [Note]: 4020 5577 851968
04/08/07 18:54:13 [Note]: 4018 5577 851968
04/08/07 18:54:24 [Note]: 4013 177791
04/08/07 18:54:24 [Note]: 4020 5577 851968
04/08/07 18:54:24 [Note]: 4018 5577 851968
04/08/07 19:43:51 [Note]: 7006 0
04/08/07 19:43:51 [Note]: 7011 1420
04/08/07 19:43:51 [Note]: 7026 0
04/08/07 19:43:51 [Note]: 7026 0
04/08/07 19:43:53 [Note]: FSRAW library version 1.7.1021
04/08/07 19:44:01 [Note]: 7007 0




HJT:
Logfile of HijackThis v1.99.1
Scan saved at 10:52:51 PM, on 4/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\My Documents\HiJack\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2b339c4b-a5a8-43da-b463-a735758201b6} - C:\WINDOWS\system32\igfage.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp1EB.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} - C:\WINDOWS\system32\yayxvtr.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CFBB5D8F-77BD-465F-9250-B8A6E4562EB0} - C:\WINDOWS\system32\ddccc.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\twukcppp.dll",setvm
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\pmnlkh.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll
O20 - Winlogon Notify: igfage - C:\WINDOWS\SYSTEM32\igfage.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: yayxvtr - C:\WINDOWS\SYSTEM32\yayxvtr.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Legend has it that... If you put an AOL disc the opposite way and play it you can hear devilish music... Even worse if you put it the right way... IT INSTALLS AOL!
Click here 3 times for $100,000<--- I mean .00001 dollars.

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 10 April 2007 - 03:26 AM

Sorry, but can I have one more log before we try to remove everythig.
Make a list of all the programs installed on your computer:
Open HijackThis
Click the Config... button, then go to the Misc Tools section.
Press Open Uninstall Manager. You'll see a list of programs.
Select Save List... - save it to your Desktop.
The file "uninstall_list.txt" will be created.
Copy and paste the contents of this file to your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 Nat Sci

Nat Sci
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 10 April 2007 - 04:04 PM

AC Tool
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
Adobe Shockwave Player
Agere Systems PCI Soft Modem
Apple Software Update
CC_ccProxyMSI
CC_ccStart
ccCommon
Easy Internet Sign-up
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
HP Image Zone 4.2.3
HP Image Zone Plus 4.2.3
HP Organize
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZ423
ijji - Gunz
IntelliMover Data Transfer Demo
Internet Worm Protection
InterVideo DiscLabel
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java™ SE Runtime Environment 6 Update 1
KBD
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
MSRedist
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Personal Firewall
Norton Personal Firewall (Symantec Corporation)
Norton Security Center
Norton WMI Update
Panda ActiveScan
PC-Doctor for Windows
Photosmart 320,370,7400,8100,8400 Series
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealPlayer
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
SabreWing 2 from downloadcom (remove only)
Sonic Express Labeler
Sonic Update Manager
SPBBC
SwiftSwitch
Symantec
SymNet
Uninstall Startup Inspector
Updates from HP
VIA/S3 Display Driver
WildTangent GameChannel (remove only)
WildTangent Web Driver
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB883667
WinRAR archiver
Legend has it that... If you put an AOL disc the opposite way and play it you can hear devilish music... Even worse if you put it the right way... IT INSTALLS AOL!
Click here 3 times for $100,000<--- I mean .00001 dollars.

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 11 April 2007 - 03:23 AM

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Firstly ask did you install "DeskAlerts" yourself?
The program was installed when the malware came in.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {2b339c4b-a5a8-43da-b463-a735758201b6} - C:\WINDOWS\system32\igfage.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp1EB.tmp.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} - C:\WINDOWS\system32\yayxvtr.dll
O2 - BHO: (no name) - {CFBB5D8F-77BD-465F-9250-B8A6E4562EB0} - C:\WINDOWS\system32\ddccc.dll
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\twukcppp.dll",setvm
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\pmnlkh.dll",realset
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll
O20 - Winlogon Notify: igfage - C:\WINDOWS\SYSTEM32\igfage.dll
O20 - Winlogon Notify: yayxvtr - C:\WINDOWS\SYSTEM32\yayxvtr.dll


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Copy and paste the following text into Notepad:
@echo off
If exist "C:\Program Files\ARES\Ares.exe" del /q "C:\Program Files\ARES\Ares.exe"
copy "C:\Program Files\ARES\BAK\Ares.exe" "C:\Program Files\ARES"
If exist "C:\Program Files\ITUNES\iTunesHelper.exe" del /q "C:\Program Files\ITUNES\iTunesHelper.exe"
copy "C:\Program Files\ITUNES\BAK\iTunesHelper.exe" "C:\Program Files\ITUNES"
If exist "C:\Program Files\MSNmessenger\MsnMsgr.Exe" del /q "C:\Program Files\MSNmessenger\MsnMsgr.Exe"
copy "C:\Program Files\MSNmessenger\BAK\MsnMsgr.Exe" "C:\Program Files\MSNmessenger"
If exist "C:\Program Files\Quicktime\qttask.exe" del /q "C:\Program Files\Quicktime\qttask.exe"
copy "C:\Program Files\Quicktime\BAK\qttask.exe" "C:\Program Files\Quicktime"
If exist "C:\WINDOWS\SMINST\RECGUARD.EXE" del /q "C:\WINDOWS\SMINST\RECGUARD.EXE"
copy "C:\WINDOWS\SMINST\BAK\RECGUARD.EXE" "C:\WINDOWS\SMINST"
If exist "C:\WINDOWS\SYSTEM32\ctfmon.exe" del /q "C:\WINDOWS\SYSTEM32\ctfmon.exe"
copy "C:\WINDOWS\SYSTEM32\BAK\ctfmon.exe" "C:\WINDOWS\SYSTEM32"
If exist "C:\WINDOWS\SYSTEM32\igfxtray.exe" del /q "C:\WINDOWS\SYSTEM32\igfxtray.exe"
copy "C:\WINDOWS\SYSTEM32\BAK\igfxtray.exe" "C:\WINDOWS\SYSTEM32"
If exist "C:\WINDOWS\SYSTEM32\ps2.exe" del /q "C:\WINDOWS\SYSTEM32\ps2.exe"
copy "C:\WINDOWS\SYSTEM32\BAK\ps2.exe" "C:\WINDOWS\SYSTEM32"
If exist "C:\HP\DRIVERS\hplsbwatcher\lsburnwatcher.exe" del /q "C:\HP\DRIVERS\hplsbwatcher\lsburnwatcher.exe"
copy "C:\HP\DRIVERS\hplsbwatcher\BAK\lsburnwatcher.exe" "C:\HP\DRIVERS\hplsbwatcher"
If exist "C:\Program Files\WildTangent\APPS\GameChannel.exe" del /q "C:\Program Files\WildTangent\APPS\GameChannel.exe"
copy "C:\Program Files\WildTangent\APPS\BAK\GameChannel.exe" "C:\Program Files\WildTangent\APPS"
If exist "C:\Program Files\Common Files\REAL\Update_OB\realsched.exe" del /q "C:\Program Files\Common Files\REAL\Update_OB\realsched.exe"
copy "C:\Program Files\Common Files\REAL\Update_OB\BAK\realsched.exe" "C:\Program Files\Common Files\REAL\Update_OB"
If exist "C:\Program Files\Java\jre1.6.0_01\BIN\jusched.exe" del /q "C:\Program Files\Java\jre1.6.0_01\BIN\jusched.exe"
copy "C:\Program Files\Java\jre1.6.0_01\BIN\BAK\jusched.exe" "C:\Program Files\Java\jre1.6.0_01\BIN"
exit
Save this as "AWF.bat" Choose to save as *all files and place it on your Desktop.
Don't use it yet

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\khgfgf.dll
C:\WINDOWS\system32\srsnfbbq.dll
C:\WINDOWS\system32\phwctqnc.dll
C:\WINDOWS\system32\yayxvtr.dll
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\tmp1EB.tmp.dll
C:\WINDOWS\system32\igfage.dll
C:\WINDOWS\system32\zup.exe.exe
C:\WINDOWS\system32\mmn.exe.exe
C:\WINDOWS\system32\pdp.exe.exe
C:\WINDOWS\system32\dxclib303562752.dll
C:\WINDOWS\system32\drivers\core.sys
C:\sstray.exe
C:\WINDOWS\system32\yayxvtr.dll
C:\WINDOWS\system32\igfage.dll
C:\svhost.exe
C:\WINDOWS\khgfgf.dll
C:\WINDOWS\rundll.exe
C:\WINDOWS\funnies.exe
C:\WINDOWS\pmnlkh.dll
C:\WINDOWS\system32\lsasss.exe
C:\WINDOWS\system32\twukcppp.dll
C:\wmplayer.dll
C:\Documents and Settings\HP_Owner\ie_updater.exe
C:\WINDOWS\iifffe.dll
C:\WINDOWS\ttc.exe


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now. Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Double-click AWF.bat.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following folders (if present):

C:\Program Files\BHO Plugin
C:\Program Files\SpyLocked
C:\Program Files\P2PNetworks

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BootService"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9697716-61E6-4FBC-89FD-EAC504D9EFE3}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccc]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfage]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxvtr]

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Reboot back into Normal Mode.

Copy and paste the following text into Notepad:
regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\system\currentcontrolset\control"
Save this as "look.bat" Choose to save as *all files and place it on your Desktop.
Double-click look.bat.

Please post back a new FindAWF log, a new HijackThis log, and the look.txt. Also answer my question about DeskAlerts.
Thanks,
Charles

Edited by rookie147, 11 April 2007 - 04:54 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 18 April 2007 - 09:18 AM

Due to lack of feedback, this topic is now closed.

If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users