Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Webspec.dll And Sembako-dgzjlmi.exe


  • This topic is locked This topic is locked
8 replies to this topic

#1 chappie1538

chappie1538

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 16 April 2007 - 01:58 PM

Hi guys,

Firstly I would like to apology for my English. I hope the story is understandable.

Secondly, my problems. Actually, it is my girlfriend’s notebook. After I took a like at it, it had Norton, the last updates were in nov 2005, so the Nortoncontract expired. I installed AVG antivirus and after scanning the notebook contained about 150 worms and Trojans. Everything was fixed, but then there came new problem.

After starting the notebook there are 4 ‘windows’. I’ll describe the first 3. They are exactly the same en says:

RUNDLL

There is an error while ‘C:\Programfiles\Webspecials\Webspec.dll’ tried to load. Can not find the module.


The forth one sounds like:

C:\WINDOWS\Sembako-dgzjlmi.exe

Windows can not find the file ‘C:\WINDOWS\Sembako-dgzjlmi.exe' Check if the name is correctly spelled and try it again. If you want to search for the file, go to START end to SEARCH.


I translated the windows, because we have the Dutch one.

Last small problem I have, is that I have a film(Eragon) and I want to delete it, but it says that I can not delete it, because it is used by another program.

Finaly,the problem is that I don’t have internet at home, only wireless at school. So I be able to read any reactions tomorrow morning (april 17).

Thanks a lot and I look forward to the reactions.

Greetings,

Chappie (and the girlfriend)



Logfile of HijackThis v1.99.1
Scan saved at 18:06:32, on 16-4-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Philips\Extern station\Blue Button\bbSysTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tp...92&ttid=104
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.228.253:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-dgzjlmi.exe"
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\eltt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871577CD-7739-4369-9949-02EFA42AC8F2} - C:\WINDOWS\System32\ncoa.dll (file missing)
O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\neti.dll (file missing)
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [bbSysTray] C:\Program Files\Philips\Extern station\Blue Button\bbSysTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\Sony\Local Settings\Temporary Internet Files\Content.IE5\JIFDD57R\delf061225[1].exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eltupt] C:\WINDOWS\eltupt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {8FACB588-4A4B-46C1-807B-1F08D0AC7592} (eTours Control) - http://www.360etours.net/activex/eTours3-4-0-01.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...aeafec90882709a
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {4D732896-3BF8-42C3-8416-EFCA10FC7070} - C:\WINDOWS\System32\ncoa.dll
O18 - Filter: text/plain - {4D732896-3BF8-42C3-8416-EFCA10FC7070} - C:\WINDOWS\System32\ncoa.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 AM

Posted 17 April 2007 - 03:46 PM

Hello,

It looks like you are dealing with some very old infections which are most probably already removed by your AVG and Antispywarescanners, however, leftovers are still remaining in the registry and that's why you are getting these errors.

Perform next steps in the right order please...

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tp...92&ttid=104
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-dgzjlmi.exe"
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\eltt.dll (file missing)
O2 - BHO: (no name) - {871577CD-7739-4369-9949-02EFA42AC8F2} - C:\WINDOWS\System32\ncoa.dll (file missing)
O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\neti.dll (file missing)
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\Sony\Local Settings\Temporary Internet Files\Content.IE5\JIFDD57R\delf061225[1].exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [eltupt] C:\WINDOWS\eltupt.exe
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {8FACB588-4A4B-46C1-807B-1F08D0AC7592} (eTours Control) - http://www.360etours.net/activex/eTours3-4-0-01.ocx
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...aeafec90882709a
O18 - Filter: text/html - {4D732896-3BF8-42C3-8416-EFCA10FC7070} - C:\WINDOWS\System32\ncoa.dll
O18 - Filter: text/plain - {4D732896-3BF8-42C3-8416-EFCA10FC7070} - C:\WINDOWS\System32\ncoa.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot your computer.

After reboot,

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCMD"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
Post the log from AVG Antispyware together with a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 chappie1538

chappie1538
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 19 April 2007 - 02:51 PM

Hi, firstly I would to thank you! The job was very easy and the ‘windows’ problems are solved. :thumbsup:

However, I have some questions:

I found some things in Hijack that we never use, things like Bearshare (I don’t use Limeware or that kind of download progs, only Bittorent) and Yahoo (never used):



O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab


Can I just fix them with Hijjack or will it give problems afterwards?? I was also wondering if I need to keep the fix.reg file I made after Hijacking or can I delete it as well?

Logfile of HijackThis v1.99.1
Scan saved at 19:00:34, on 19-4-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Philips\Extern station\Blue Button\bbSysTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Sony\Mijn documenten\Programma's\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.228.253:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [bbSysTray] C:\Program Files\Philips\Extern station\Blue Button\bbSysTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\Sony\Local Settings\Temporary Internet Files\Content.IE5\JIFDD57R\delf061225[1].exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

And this are the Reportscan’s of AVG Anti-Spyware. I have two of them because the first time went something wrong with the ‘ Apply all actions’ part. It’s a bit a long report. First one is black and the second one I made red.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:55:23 19-4-2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows SR 3.0 -> Adware.BlazeFind : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows SR 3.0\- -> Adware.BlazeFind : Ignored.
HKLM\SOFTWARE\Classes\QD2.QD2Loader -> Adware.CasinoToolbar : Ignored.
HKLM\SOFTWARE\Classes\QD2.QD2Loader.1 -> Adware.CasinoToolbar : Ignored.
HKLM\SOFTWARE\Classes\QD2.QD2Loader\CLSID -> Adware.CasinoToolbar : Ignored.
HKLM\SOFTWARE\Classes\QD2.QD2Loader\CurVer -> Adware.CasinoToolbar : Ignored.
HKLM\SOFTWARE\Dvx -> Adware.Delfin : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Adware.Delfin : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP204\A0111863.dll -> Adware.DelphinMediaViewer : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP204\A0111864.exe -> Adware.DelphinMediaViewer : Ignored.
HKU\S-1-5-21-73586283-1060284298-2074826387-1003\Software\SerG -> Adware.EZ-Finder : Ignored.
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO -> Adware.HungryHands : Ignored.
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO.1 -> Adware.HungryHands : Ignored.
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO\CLSID -> Adware.HungryHands : Ignored.
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO\CurVer -> Adware.HungryHands : Ignored.
HKU\S-1-5-21-73586283-1060284298-2074826387-1003\Software\intexp -> Adware.IEPlugin : Ignored.
HKU\S-1-5-21-73586283-1060284298-2074826387-1003\Software\intexp\Config -> Adware.IEPlugin : Ignored.
HKU\S-1-5-21-73586283-1060284298-2074826387-1003\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Ignored.
HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Ignored.
HKU\S-1-5-21-73586283-1060284298-2074826387-1003\Software\WhenU -> Adware.SaveNow : Ignored.
HKLM\SOFTWARE\Classes\ImgConv.clsImgConv -> Adware.WebRebates : Ignored.
HKLM\SOFTWARE\Classes\ImgConv.clsImgConv\Clsid -> Adware.WebRebates : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP204\A0111866.exe -> Downloader.Delmed.b : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP203\A0111851.exe -> Downloader.OneClickNetSearch.k : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP203\A0111849.dll -> Hijacker.Delf.z : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP203\A0111850.dll -> Logger.Spung.a : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@divx.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@adbrite[2].txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@adtech[2].txt -> TrackingCookie.Adtech : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@com[1].txt -> TrackingCookie.Com : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@connextra[2].txt -> TrackingCookie.Connextra : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@komtrack[2].txt -> TrackingCookie.Komtrack : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@revsci[1].txt -> TrackingCookie.Revsci : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@specificclick[1].txt -> TrackingCookie.Specificclick : Ignored.
C:\Documents and Settings\Sony\Cookies\sony@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0095577.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0095578.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0095579.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0095580.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0095581.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0095582.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0095583.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096562.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096563.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096564.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096565.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096566.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096567.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096568.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096569.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096570.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096571.pif -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096572.com -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096573.scr -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096574.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096575.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096576.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096586.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096587.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096588.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096589.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096590.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096591.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096592.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096593.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096594.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096595.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096596.pif -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096597.com -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096598.scr -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096599.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096601.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096606.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096607.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP191\A0096608.exe -> Worm.Brontok.a : Ignored.


The lines between this I deleted because it was way to long.

C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115689.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115690.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115691.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115692.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115693.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115694.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115695.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115696.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115697.com -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115698.scr -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115699.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115700.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP214\A0115701.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP215\A0115703.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP215\A0115704.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP215\A0115705.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP215\A0115706.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP215\A0115707.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP215\A0115708.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP215\A0115709.exe -> Worm.Brontok.a : Ignored.
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP215\A0115820.exe -> Worm.Brontok.a : Ignored.


::Report end


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:05:17 19-4-2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows SR 3.0 -> Adware.BlazeFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows SR 3.0\- -> Adware.BlazeFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\QD2.QD2Loader -> Adware.CasinoToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\QD2.QD2Loader.1 -> Adware.CasinoToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\QD2.QD2Loader\CLSID -> Adware.CasinoToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\QD2.QD2Loader\CurVer -> Adware.CasinoToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Dvx -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Adware.Delfin : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP204\A0111863.dll -> Adware.DelphinMediaViewer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP204\A0111864.exe -> Adware.DelphinMediaViewer : Cleaned with backup (quarantined).
HKU\S-1-5-21-73586283-1060284298-2074826387-1003\Software\SerG -> Adware.EZ-Finder : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO -> Adware.HungryHands : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO.1 -> Adware.HungryHands : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO\CLSID -> Adware.HungryHands : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO\CurVer -> Adware.HungryHands : Cleaned with backup (quarantined).
HKU\S-1-5-21-73586283-1060284298-2074826387-1003\Software\intexp -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-21-73586283-1060284298-2074826387-1003\Software\intexp\Config -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-21-73586283-1060284298-2074826387-1003\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned with backup (quarantined).
HKU\S-1-5-21-73586283-1060284298-2074826387-1003\Software\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ImgConv.clsImgConv -> Adware.WebRebates : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ImgConv.clsImgConv\Clsid -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP204\A0111866.exe -> Downloader.Delmed.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP203\A0111851.exe -> Downloader.OneClickNetSearch.k : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP203\A0111849.dll -> Hijacker.Delf.z : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{319A35C9-077E-47E5-8D01-D85EDA333D95}\RP203\A0111850.dll -> Logger.Spung.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Sony\Cookies\sony@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@divx.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@komtrack[2].txt -> TrackingCookie.Komtrack : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Sony\Cookies\sony@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end


I'm looking forward to the reply :flowers:

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 AM

Posted 19 April 2007 - 03:05 PM

Hi,

I see you used 'Ignored' for the first AVG scan, so these files were not deleted. But luckily you scanned again and I see you told AVG Antispyware to clean. :thumbsup:

Can I just fix them with Hijjack or will it give problems afterwards??

Yes, you can fix them with Hijackthis, it won't give you any problems.

But... you'll have to disable Teatimer again here, or, when teatimer gives an alert after you fixed them, make sure you tell it to allow the changes and don't let it block.

There is still some entry that needs to go as well:

O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\Sony\Local Settings\Temporary Internet Files\Content.IE5\JIFDD57R\delf061225[1].exe

But, problem here is, Hijackthis will have problems with deleting this entry - This because it has problems with reading the "end file", which in this case is: delf061225[1].exe
This because it has the [ ] in it.

So to get rid of this entry, we'll have to use another regfix again, so, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"firlnin"=-

Save this as fix2.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then you may delete fix.reg and fix2.reg since you won't need them anymore. :flowers:

As a final cleanup, * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 chappie1538

chappie1538
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 23 April 2007 - 10:37 AM

Hi, it looks like everything is fixed now. :thumbsup: I still have two questions:

- If I don't change anything about the system or progs, can I keep this LOGFILE and compare it with new
ones? If there are changes, can I just fix them with HijackThis?

- This actually is not a question... I'm really happy with you guys (bleepingcomputer.com) and I think
you're doing great job. I would like to donate some, so this service can remain, but what are the
other posibilietes to donate exept paypall? Don't you (bleepingcomputer.com) have an account so I can do
it with onlinebanking?



Logfile of HijackThis v1.99.1
Scan saved at 16:42:12, on 20-4-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Philips\Extern station\Blue Button\bbSysTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Sony\Mijn documenten\Programma's\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.228.253:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [bbSysTray] C:\Program Files\Philips\Extern station\Blue Button\bbSysTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:48:06 20-4-2007

+ Scan result:



Nothing found.



::Report end

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 AM

Posted 23 April 2007 - 03:46 PM

Hi,

- If I don't change anything about the system or progs, can I keep this LOGFILE and compare it with new
ones? If there are changes, can I just fix them with HijackThis?

Well, yes and no. I mean, when you install some programs, they may show up in HijackThis as well, so if you compare it with an older log, you'll see some things being changed in it - the new programs you installed. So I don't want you to fix them in HijackThis, because your log have changed. Unless you'll recognise them in HijackThis and know not to fix them.

By the way.. did you check and fix this entry in HijackThis previously?

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

Because I see that one is gone and I didn't ask you to fix it. That entry is related with Spybot s&d - unless you uninstalled Spybot.

By the way, no need to donate, as it says in my signature, my help is always for free. :thumbsup: Donations only go via paypal/visa or mastercard - I rather prefer you buy something for your computer, to protect it in a better way ;-)

Glad I could help. :flowers:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 chappie1538

chappie1538
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 24 April 2007 - 04:59 AM

Hi there,

I took a look so made a new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:17, on 24-4-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Philips\Extern station\Blue Button\bbSysTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Sony\Mijn documenten\Programma's\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.228.253:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [bbSysTray] C:\Program Files\Philips\Extern station\Blue Button\bbSysTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


I think something went wrong with copy paste.

Any way, I will certainly take a look at your links. Thanks again and I'll 'see' you arroun on bleepingcomputer.com

Greetz

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 AM

Posted 24 April 2007 - 06:46 AM

Now it's showing. Strange it didn't show in your previous log. Anyway, no problem.

Thanks again and I'll 'see' you arroun on bleepingcomputer.com

I see you are dutch - so if you want to ask something in dutch, which may be easier in some cases instead of english, you're always welcome at http://www.bluemedicine.be/forum/
This is my own dutch forum - since I am dutch as well. :thumbsup:

Anyway, now keep this system clean :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 AM

Posted 25 April 2007 - 08:01 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users