Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log: Please Help Diagnose Ie Hijack


  • Please log in to reply
23 replies to this topic

#1 aj2007

aj2007

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 28 April 2007 - 04:58 AM

Whenever I start Internet Explorer, before the Home Page appears, it is diverted to a proxy server 212.138.64.149 and then displays "The page cannot be displayed".

If I select a favourite, the selected URL appears for a few seconds before being diverted as above.

Having run Hijack This, I have found the R1 entry below but when I delete it just comes back every time I launch Internet Explorer.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.149:80

I am unable to ascertain what in Startup is causing it. I thought it might be this:
O4 - Global Startup: pkyj.hta
but whenever I try to delete it I cannot as it says it is in use and to end using Task Manager - it then is not showing in Task Manager. Also, checking properties for pkyj.hta it was created in 2005 and I have only been having the problems for the last few weeks.

Here is my full Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:18:45, on 28/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ANTHONY\LOCALS~1\Temp\Rar$EX65.766\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.etel-internet.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.etel-internet.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.149:80
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: pkyj.hta
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.etel-internet.co.uk
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD0585EA-BAAB-46E4-AFDA-1F90F4C57DCF}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

Here is my StartUpList:

StartupList report, 28/04/2007, 10:49:09
StartupList version: 1.52.2
Started from : C:\DOCUME~1\ANTHONY\LOCALS~1\Temp\Rar$EX65.766\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ANTHONY\LOCALS~1\Temp\Rar$EX65.766\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
pkyj.hta

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ShStatEXE = "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
LogitechVideoRepair = C:\Program Files\Logitech\Video\ISStart.exe
LogitechVideoTray = C:\Program Files\Logitech\Video\LogiTray.exe
SpeedTouch USB Diagnostics = "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
LogitechGalleryRepair = C:\Program Files\Logitech\Video\ISStart.exe
SystemTraySD = C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
SDAutoLiveupdate = C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MoneyAgent = "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

IDM Helper - C:\Program Files\Internet Download Manager\IDMIECC.dll - {0055C089-8582-441B-A0BF-17B458C2A3A8}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Microsoft Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-0B5F309A0E64}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Auto-scheduled task of Free Registry Fix.job
XoftSpySE.job

--------------------------------------------------

Enumerating Download Program Files:

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[Install Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\pinstall.dll
CODEBASE = http://updates.lifescapeinc.com/installers...ll/pinstall.cab

[{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

[BatchDownloader Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\DigWXMSN.dll
CODEBASE = http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[Yahoo! Toolbar]
InProcServer32 = C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://chat.msn.com/controls/msnchat45.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINDOWS\System32\idmmbc.dll
Protocol #2: C:\WINDOWS\System32\idmmbc.dll
Protocol #3: C:\WINDOWS\System32\idmmbc.dll
Protocol #4: C:\WINDOWS\System32\idmmbc.dll
Protocol #10: C:\WINDOWS\System32\idmmbc.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 7,144 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Please help.

Regards,

AJ

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 28 April 2007 - 07:20 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum aj2007 :thumbsup:

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.149:80
O4 - Global Startup: pkyj.hta
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O19 - User stylesheet: (file missing)


Find and delete:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pkyj.hta

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#3 aj2007

aj2007
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 28 April 2007 - 12:47 PM

Richie,

I have followed your instructions. The only thing I was unable to do was to find and delete:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pkyj.hta

It was not in the Startup folder - the only item there was desktop.ini

IE is still getting diverted to 212.138.64.149 although all the other items you asked me to fix with Hijack This have not reappeared in the new Hijack This log.

I have attached the AVG Anti-Spyware report and a new post-normal rebooting Hijack This log.

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:22:00 28/04/2007

+ Scan result:



C:\System Volume Information\_restore{8875537C-DE7A-45CB-949C-6CD43697F3D4}\RP390\A0182377.dll -> Adware.GoodByeSpyware : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\pinstall.dll -> Adware.LookMe : Cleaned with backup (quarantined).
C:\Program Files\SpywareRemover -> Adware.SpywareRemover : Cleaned with backup (quarantined).
C:\Program Files\SpywareRemover\Settings -> Adware.SpywareRemover : Cleaned with backup (quarantined).
C:\Program Files\SpywareRemover\SpywareRemover.exe -> Adware.SpywareRemover : Cleaned with backup (quarantined).
C:\Documents and Settings\ANTHONY\My Documents\Downloads\Programs\WATCH_FREE_PORN.exe -> Downloader.Agent.auv : Cleaned with backup (quarantined).
HKU\S-1-5-21-1671579388-1012082796-3419798058-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7507739F-BC2E-4DC3-B233-816783C25DC9} -> Downloader.Delf : Cleaned with backup (quarantined).
C:\Program Files\Free Registry Fix\liveupd.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\SpywareNukerInstaller.exe -> Downloader.TSP : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\Documents and Settings\ANTHONY\My Documents\Downloads\Programs\installdrivecleanerstart.exe -> Not-A-Virus.Downloader.Win32.WinFixer.m : Cleaned with backup (quarantined).
C:\Program Files\NetSpy Protector\quarantie\06-01-2007-16-42-55\49462f9a-d050-4118-b7e1-4b880a6ffab2.bak -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\06-01-2007-16-42-55\5688496d-c240-4b13-aa12-01cf814036a8.bak -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\07-11-2006-20-12-05\ec6c81e6-481b-4238-8c61-6b544a8c2cd6.bak -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\14-12-2006-22-46-29\96de24cd-d029-4493-9c99-ef81ed56c050.bak -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\22-02-2007-20-26-59\5fe00350-288f-4257-b4dd-0a2ceeddacba.bak -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\23-12-2006-08-44-37\7f741122-c89f-40ae-8624-20b1b2c743a5.bak -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\24-11-2006-17-56-07\c04d3fbf-9ce5-486c-9278-d45ef208ce89.bak -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\27-01-2007-19-54-24\9537d368-d868-4bfe-b43e-625d0128ac61.bak -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\ANTHONY\Cookies\anthony@thunderbolt.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.365:C:\Documents and Settings\ANTHONY\Application Data\Mozilla\Firefox\Profiles\ena2tcnr.default\cookies.txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\ANTHONY\Cookies\anthony@www.adobe[2].txt -> TrackingCookie.Adobe : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\27-01-2007-19-54-24\3dcc97d4-1f94-4150-a08b-1f9ad898afdb.bak -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\ANTHONY\Cookies\anthony@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\ANTHONY\Cookies\anthony@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.11:C:\Documents and Settings\ANTHONY\Application Data\Mozilla\Firefox\Profiles\ena2tcnr.default\cookies.txt -> TrackingCookie.Co : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\07-11-2006-20-12-05\ea7a0cb5-7c10-4097-8411-3bd7d4931d59.bak -> TrackingCookie.Connextra : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\07-11-2006-20-12-05\aab11f86-b275-48b6-b1a5-df73f2dd0bc9.bak -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\ANTHONY\Cookies\anthony@cl.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\26-11-2006-17-24-51\40b82d74-10d7-466d-bd68-84b1b8fa8a7e.bak -> TrackingCookie.Euroclick : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\27-12-2006-11-20-02\335b5fd6-e43c-4c44-b43f-7fbe0fddaf9e.bak -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\ANTHONY\Cookies\anthony@msxml.info[1].txt -> TrackingCookie.Info : Cleaned.
:mozilla.300:C:\Documents and Settings\ANTHONY\Application Data\Mozilla\Firefox\Profiles\ena2tcnr.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\14-12-2006-22-46-29\83560e09-2476-4ff5-af82-e4b2d6595939.bak -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\ANTHONY\Cookies\anthony@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.485:C:\Documents and Settings\ANTHONY\Application Data\Mozilla\Firefox\Profiles\ena2tcnr.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\ANTHONY\Cookies\anthony@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\ANTHONY\Cookies\anthony@ads.planetactive[2].txt -> TrackingCookie.Planetactive : Cleaned.
:mozilla.277:C:\Documents and Settings\ANTHONY\Application Data\Mozilla\Firefox\Profiles\ena2tcnr.default\cookies.txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\ANTHONY\Cookies\anthony@uk.real[1].txt -> TrackingCookie.Real : Cleaned.
:mozilla.173:C:\Documents and Settings\ANTHONY\Application Data\Mozilla\Firefox\Profiles\ena2tcnr.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.174:C:\Documents and Settings\ANTHONY\Application Data\Mozilla\Firefox\Profiles\ena2tcnr.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.175:C:\Documents and Settings\ANTHONY\Application Data\Mozilla\Firefox\Profiles\ena2tcnr.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.176:C:\Documents and Settings\ANTHONY\Application Data\Mozilla\Firefox\Profiles\ena2tcnr.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.320:C:\Documents and Settings\ANTHONY\Application Data\Mozilla\Firefox\Profiles\ena2tcnr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\ANTHONY\Cookies\anthony@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\WINDOWS\Downloaded Program Files\start.INF -> Trojan.Dagonit.inf : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 18:31:36, on 28/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ANTHONY\LOCALS~1\Temp\Rar$EX00.500\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.etel-internet.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.etel-internet.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.149:80
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.etel-internet.co.uk
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD0585EA-BAAB-46E4-AFDA-1F90F4C57DCF}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

I would be very grateful for any other suggestions you might have.

Regards,

Anthony

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 28 April 2007 - 01:38 PM

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


********************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableAutoProxyResultCache"=dword:00000000
"EnableNegotiate"=dword:00000000
"ProxyEnable"=dword:00000000
"AutoConfigURL"=""
"ProxyServer"=""
"ProxyOverride"=""


Restart your pc,post the C:\ComboFix.txt,and a new Hijackthis log into your next reply.
Let me know whats happening now please.
Posted Image
Posted Image

#5 aj2007

aj2007
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 28 April 2007 - 03:57 PM

Richie,

I have followed your latest instructions although I rebooted before double clicking on fix.reg on desktop - does that matter or do I need to repeat the whole procedure in your last message again ?

Rebooted again after merging fix.reg.

Has not fixed - IE still getting diverted.

Here are logs as requested:

"ANTHONY" - 07-04-28 21:23:50 Service Pack 2
ComboFix 07-04-28.V - Running from: "C:\Documents and Settings\ANTHONY\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-28 ))))))))))))))))))))))))))))))))))


2007-04-28 16:03 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-22 10:50 <DIR> d-------- C:\DOCUME~1\ANTHONY\Contacts
2007-04-22 10:45 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-04-06 10:59 55,000 --a------ C:\WINDOWS\system32\CloseAll.exe
2007-04-06 10:59 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2007-04-06 08:08 123 --a------ C:\WINDOWS\system\SysSD.dll
2007-04-06 08:07 1,003,520 --a------ C:\WINDOWS\system32\VchReg.dll
2007-04-06 08:07 <DIR> d-------- C:\Program Files\SpywareDetector
2007-04-05 23:07 <DIR> d-------- C:\DOCUME~1\ANTHONY\APPLIC~1\SpywareRemover
2007-04-05 22:56 <DIR> d-------- C:\Program Files\Browser Hijack Recover
2007-04-05 22:46 218,112 --a------ C:\Program Files\HijackThis.exe
2007-04-05 19:11 <DIR> d-------- C:\Program Files\Geek Superhero
2007-04-05 18:55 <DIR> d-------- C:\Program Files\Browser Hijack Blaster
2007-04-05 17:12 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-04-05 16:39 <DIR> d-------- C:\Program Files\Zamaan's Software
2007-04-05 16:06 <DIR> d-------- C:\Program Files\backups
2007-04-05 06:54 <DIR> d-------- C:\Program Files\SpywareGuard


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver lzx32 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.

2007-04-27 21:11 -------- d-------- C:\Program Files\free registry fix
2007-04-22 10:45 -------- d-------- C:\Program Files\msn messenger
2007-04-08 15:46 -------- d-------- C:\Program Files\opera
2007-04-06 09:14 -------- d-------- C:\Program Files\netspy protector
2007-04-05 22:37 -------- d-------- C:\DOCUME~1\ANTHONY\APPLIC~1\idm
2007-04-05 19:21 -------- d-------- C:\Program Files\internet download manager
2007-04-05 18:20 -------- d-------- C:\Program Files\google
2007-04-05 16:04 10803 --a------ C:\Program Files\hijackthis.log
2007-04-03 20:17 1824 --a------ C:\DOCUME~1\ANTHONY\APPLIC~1\adobedlm.log
2007-03-30 22:37 -------- d-------- C:\Program Files\imtoo
2007-03-21 20:49 -------- d-------- C:\DOCUME~1\ANTHONY\APPLIC~1\virgin broadband
2007-03-21 20:48 -------- d-------- C:\Program Files\virgin broadband
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-19 15:53 202424 --a------ C:\WINDOWS\system32\idmmbc.dll
2007-02-19 15:53 202424 --a------ C:\WINDOWS\system32\idmmbc(2)(2)(3).dll
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{0055C089-8582-441B-A0BF-17B458C2A3A8}"="C:\Program Files\Internet Download Manager\IDMIECC.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{243B17DE-77C7-46BF-B94B-0B5F309A0E64}"="C:\Program Files\Microsoft Money\System\mnyside.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"LogitechGalleryRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"SystemTraySD"="C:\\Program Files\\SpywareDetector\\SDSystemTray.exe -AUTO"
"SDAutoLiveupdate"="C:\\Program Files\\SpywareDetector\\LiveUpdateSD.exe -AUTO"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pkyj.hta]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pkyj.hta"
"backup"="C:\\WINDOWS\\pss\\pkyj.htaCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pkyj.hta"
"item"="pkyj"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IW Controlcenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IWCTRL"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\INSTAN~1\\INSTAN~1\\IWCTRL.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Auto-scheduled task of Free Registry Fix.job
C:\WINDOWS\tasks\XoftSpySE.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-28 21:30:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-28 21:33:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-28 21:33

Logfile of HijackThis v1.99.1
Scan saved at 21:52:58, on 28/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ANTHONY\LOCALS~1\Temp\Rar$EX00.750\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.etel-internet.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.etel-internet.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.149:80
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.etel-internet.co.uk
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD0585EA-BAAB-46E4-AFDA-1F90F4C57DCF}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

Regards,

Anthony

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 29 April 2007 - 02:24 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.149:80
Exit Hijackthis.

********************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pkyj.hta]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableAutoProxyResultCache"=dword:00000000
"EnableNegotiate"=dword:00000000
"ProxyEnable"=dword:00000000
"AutoConfigURL"=""
"ProxyServer"=""
"ProxyOverride"=""

********************************

Download rustbfix.exe and save it to your desktop:
http://www.uploads.ejvindh.net/rustbfix.exe
Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will be asked to reboot the computer.
The reboot will probably take quite a while,possibly two reboots will be needed,this should happen automatically..
After the reboot two logfiles will/should open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).
If you're still infected,post the contents of those logfiles along with a new HijackThis log.
Posted Image
Posted Image

#7 aj2007

aj2007
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 29 April 2007 - 05:57 AM

Richie,

Many thanks for your continued efforts on this.

Still infected.

After second reboot had error message "could not find C:\avenger\*.reg". Will I have this after every reboot - how do I get rid of error message ?

Here are the requested logs.

************************* Rustock.b-fix -- By ejvindh *************************
29/04/2007 11:39:17.75

******************* Pre-run Status of system *******************

Rootkit driver lzx32 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vyahoxor

*******************

Script file located at: \??\C:\WINDOWS\system32\ppcrjnjk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\lzx32 not found!
Unload of driver lzx32 failed!

Could not process line:
lzx32
Status: 0xc0000034

Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 11:50:33, on 29/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ANTHONY\LOCALS~1\Temp\Rar$EX06.093\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.etel-internet.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.etel-internet.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.149:80
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.etel-internet.co.uk
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD0585EA-BAAB-46E4-AFDA-1F90F4C57DCF}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

Regards,

Anthony

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 29 April 2007 - 06:35 AM

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.

****************************************

Please download Sophos Anti-Rootkit,and save it on your desktop.
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste: %temp%\sarscan.log then press Enter.
7. This should open the log from the rootkit scan.
Post this log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.

Restart your pc.
Post the Counterspy report,the sarscan.log,and a new Hijackthis log in your next reply.
Posted Image
Posted Image

#9 aj2007

aj2007
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 29 April 2007 - 09:37 AM

Richie,

I have followed your instructions. IE still hijacked.

Here are the logs:

CounterSpy

Scan History Details
Start Date: 29/04/2007 13:28:42
End Date: 29/04/2007 14:26:04
Total Time: 57 Min 22 Sec
Detected security risks

Go!Zilla Adware Bundler more information...
Details: Go!Zilla is an ad supported download manager.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\HTMLFILE\SHELL\SMARTEXPLORER
HKEY_LOCAL_MACHINE\Software\Classes\HTMLFILE\SHELL\SMARTEXPLORER
HKEY_LOCAL_MACHINE\Software\Classes\HTMLFILE\SHELL\SMARTEXPLORER\command
HKEY_LOCAL_MACHINE\Software\Classes\HTMLFILE\SHELL\SMARTEXPLORER\command
HKEY_LOCAL_MACHINE\Software\Classes\INTERNETSHORTCUT\SHELL\SMARTEXPLORER
HKEY_LOCAL_MACHINE\Software\Classes\INTERNETSHORTCUT\SHELL\SMARTEXPLORER
HKEY_LOCAL_MACHINE\Software\Classes\INTERNETSHORTCUT\SHELL\SMARTEXPLORER\command
HKEY_LOCAL_MACHINE\Software\Classes\INTERNETSHORTCUT\SHELL\SMARTEXPLORER\command
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\STARTMENUINTERNET\SMARTEXPLORER.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\STARTMENUINTERNET\SMARTEXPLORER.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\STARTMENUINTERNET\SMARTEXPLORER.EXE\shell
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\STARTMENUINTERNET\SMARTEXPLORER.EXE\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\STARTMENUINTERNET\SMARTEXPLORER.EXE\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\STARTMENUINTERNET\SMARTEXPLORER.EXE\shell\open\command


Cookie: RegNow Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\anthony\cookies\anthony@www.regnow[2].txt


Cookie: Radar Spy Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\anthony\cookies\anthony@yourmedia[1].txt


Cookie: Hero Screen Recorder 2.0.2 Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\anthony\cookies\anthony@secure.emetrix[1].txt


PassBack AIM Password Cracker/Stealer more information...
Details: PassBack AIM is a password hijacker.
Status: Deleted

Files detected
C:\PROGRAM FILES\TREK BLUE\SpyNukerSetup.exe
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\errorlog.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\excludelist.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\exmodule.dll
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\bottom.gif
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\check-mark.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\clear-log.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\dot.gif
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\have_you_ever.gif
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\ignore-list.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\index.html
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-auto-remove-file.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-backup-button.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-backup-files.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-backup-window.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-exclude-button.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-exclude-list.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-full-system-scan-button.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-help-button.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-language.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-log-files.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-main.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-ok-button.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-options-button.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-options-window.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-pick-tasks.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-remove-selection-button.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-remove-spyware-automatically.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-save-report-file-automaticaly.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-scan-on-windows-startup.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-scan-summary.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-scan-summary1.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\lpe-select-all-spyware-components-by-default.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\LSPHelp.htm
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\right_man.gif
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\spyware-nuker-icon.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\stop-scan-button.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\top_left.gif
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\top_middle.gif
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Help\top_right.jpg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Ini\update.ref
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Lang\English.bmp
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Lang\English.ini
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Lang\Spanish.bmp
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Lang\Spanish.ini
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Lang\Svenska.bmp
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Lang\Svenska.ini
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\LSPFix.exe
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\LSPLang\English.bmp
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\LSPLang\English.ini
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog01-01-06-98830.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog01-05-05-81463.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog01-09-06-87199.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog01-11-06-96402.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog01-12-05-71449.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog02-01-07-46587.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog02-02-07-79679.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog02-02-07-86668.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog02-02-07-86709.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog02-03-07-87159.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog02-04-06-40800.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog02-04-07-84259.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog02-07-06-97503.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog02-12-06-42389.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog03-01-06-46119.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog03-01-06-62975.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog03-02-06-81541.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog03-02-07-83134.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog03-03-07-79745.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog03-05-06-95196.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog03-06-06-60177.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog03-09-06-78258.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog03-11-05-65457.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog03-11-05-73711.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog04-02-07-56147.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog04-04-07-78685.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog04-04-07-79336.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog04-04-07-84527.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog04-07-04-77657.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog04-08-03-97240.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog04-09-03-82392.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog04-11-06-62603.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog05-01-05-58535.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog05-01-06-86965.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog05-02-06-72014.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog05-02-07-81958.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog05-03-04-81959.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog05-03-06-30579.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog05-04-07-83626.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog05-07-06-95120.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog05-08-06-94497.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog05-11-06-45802.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog05-12-06-30273.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog06-01-06-45466.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog06-01-07-64735.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog06-02-07-76652.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog06-03-07-83713.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog06-04-04-82333.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog06-08-05-53185.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog06-10-03-83292.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog06-10-03-83696.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog06-11-05-36934.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog07-01-07-85714.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog07-06-06-79215.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog07-11-06-83958.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog07-12-06-96432.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog07-12-06-96828.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog08-01-07-77126.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog08-03-07-86843.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog08-04-06-68935.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog08-05-06-92058.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog08-08-03-92468.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog08-08-03-93999.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog08-08-03-94606.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog08-09-03-86850.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog08-11-06-68147.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog09-02-07-59.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog09-02-07-87028.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog09-05-04-73678.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog09-07-06-93159.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog09-08-06-80049.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog09-08-06-81214.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog09-09-03-91653.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog09-09-06-41372.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog09-11-06-83249.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog09-12-06-45486.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog10-01-04-80573.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog10-01-07-28773.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog10-02-06-93714.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog10-02-07-43192.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog10-03-06-85360.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog10-08-03-95477.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog10-08-06-89830.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog10-09-06-97266.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog10-11-05-81292.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog10-12-04-89006.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog11-02-06-73023.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog11-02-07-61209.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog11-03-06-93002.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog11-03-07-73303.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog11-04-06-83566.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog11-06-06-42744.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog11-08-05-77819.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog11-12-03-92690.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog12-02-06-94559.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog12-03-06-62884.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog12-04-06-95086.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog12-05-06-79608.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog12-05-06-87128.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog12-07-06-95637.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog12-08-03-80988.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog13-01-06-28067.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog13-02-07-78554.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog13-02-07-83350.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog13-04-06-27839.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog13-06-06-85781.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog13-12-06-29936.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog14-02-06-78856.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog14-02-07-91222.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog14-08-06-81819.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog14-09-05-90807.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog14-12-06-94919.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog15-02-07-91174.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog15-08-06-93685.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog16-01-07-30265.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog16-03-07-86498.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog16-04-06-87440.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog16-04-07-86547.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog16-06-06-84707.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog16-06-06-84757.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog16-06-06-84819.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog16-08-06-88038.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog17-04-04-71676.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog17-05-06-89657.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog17-08-03-93109.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog17-08-03-93753.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog17-10-04-70990.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog17-11-05-86463.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog17-11-05-86956.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog18-02-05-42247.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog18-02-06-53910.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog18-02-07-70749.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog18-03-06-71073.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog18-08-06-67818.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog18-12-06-42488.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog19-02-06-95154.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog19-03-06-92727.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog19-04-05-86745.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog19-04-05-87047.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog19-07-05-76267.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog19-07-05-76535.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog19-07-05-82519.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog19-08-06-35569.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog19-11-06-69299.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog19-11-06-85935.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog20-01-07-47876.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog20-04-06-92707.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog20-07-06-84734.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog20-08-03-88891.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog20-08-06-49600.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog20-10-06-95185.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog20-10-06-99826.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog20-11-06-95884.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog20-12-03-37072.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog20-12-06-83228.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog21-01-07-70041.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog21-03-06-93178.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog21-03-07-72536.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog21-03-07-87714.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog21-05-06-88078.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog21-08-06-80822.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog21-11-03-85104.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog21-11-03-85536.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog21-11-06-90647.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog21-12-06-43611.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog22-01-06-56302.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog22-01-06-97495.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog22-01-06-97968.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog22-02-07-78878.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog22-03-06-84719.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog22-04-06-62152.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog22-04-06-72692.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog22-04-07-85700.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog22-07-06-92868.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog22-12-06-78542.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog23-01-07-79565.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog23-03-06-88032.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog23-07-06-78981.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog23-10-04-80398.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog23-11-06-91284.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog24-01-06-87270.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog24-02-06-83646.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog24-02-07-54648.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog24-03-07-50589.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog24-03-07-84079.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog24-04-06-95891.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog24-06-06-57522.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog24-11-06-67649.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog24-12-06-48767.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog25-01-04-80229.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog25-03-06-33501.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog25-08-05-85686.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog25-08-05-85762.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog25-10-03-68006.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog25-11-03-88216.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog25-11-05-87743.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-02-06-40609.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-02-06-77346.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-02-06-86801.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-02-07-92587.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-03-06-96310.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-03-06-97030.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-04-06-94346.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-05-06-75968.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-06-06-88671.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-07-06-81503.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-08-06-60436.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-10-06-93159.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog26-11-06-65243.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-01-07-80013.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-02-06-80213.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-03-04-35031.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-03-04-35170.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-03-04-35729.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-03-05-75174.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-04-07-90941.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-07-04-28545.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-08-03-78524.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-08-03-78745.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-08-06-42274.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-09-03-81486.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-11-06-80742.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-12-05-66774.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-12-06-34929.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-12-06-43843.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog27-12-06-78852.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog28-01-07-53024.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog28-02-06-88416.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog28-02-07-95624.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog28-05-06-31782.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog28-11-05-78296.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog28-11-06-92617.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog28-12-04-56466.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog28-12-05-95275.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog28-12-06-51693.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-01-05-48818.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-01-06-45288.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-03-06-83888.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-04-06-76565.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-05-06-86793.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-08-03-91103.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-09-06-90988.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-10-04-81720.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-10-04-81927.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-11-06-90616.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-12-06-39062.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog29-12-06-48319.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog30-01-04-81458.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog30-01-05-54253.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog30-03-07-87420.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog30-07-05-2731.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog31-07-06-88238.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog31-10-04-44363.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog31-10-06-87750.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog31-12-04-78924.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\NukerLog31-12-04-79189.txt
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Remove.reg
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\Setting.ini
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\SPYNUKER.exe
C:\PROGRAM FILES\TREK BLUE\Spyware Nuker\UnInstaller.exe
C:\PROGRAM FILES\TREK BLUE
C:\PROGRAM FILES\TREK BLUE\SPYWARE NUKER
C:\PROGRAM FILES\TREK BLUE\SPYWARE NUKER\HELP
C:\PROGRAM FILES\TREK BLUE\SPYWARE NUKER\INI
C:\PROGRAM FILES\TREK BLUE\SPYWARE NUKER\LANG
C:\PROGRAM FILES\TREK BLUE\SPYWARE NUKER\LSPLANG


My Adult Explorer Adware Bundler more information...
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-1671579388-1012082796-3419798058-1005\SOFTWARE\LIFETIMEPORN
HKEY_USERS\S-1-5-21-1671579388-1012082796-3419798058-1005\SOFTWARE\LIFETIMEPORN
HKEY_USERS\S-1-5-21-1671579388-1012082796-3419798058-1005\SOFTWARE\LIFETIMEPORN
HKEY_USERS\S-1-5-21-1671579388-1012082796-3419798058-1005\SOFTWARE\LIFETIMEPORN
HKEY_USERS\S-1-5-21-1671579388-1012082796-3419798058-1005\SOFTWARE\LIFETIMEPORN

Sophos

Sophos Anti-Rootkit Version 1.3RC (data 1.06) © 2006 Sophos Plc
Started logging on 29/04/2007 at 15:04:17
Stopped logging on 29/04/2007 at 15:22:55

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 15:33:13, on 29/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ANTHONY\LOCALS~1\Temp\Rar$EX00.109\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.etel-internet.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.etel-internet.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.149:80
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.etel-internet.co.uk
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD0585EA-BAAB-46E4-AFDA-1F90F4C57DCF}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

Regards,

Anthony

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 29 April 2007 - 10:35 AM

How to Remove Proxy Connection Settings in Internet Explorer 6:
http://support.mcihispeed.net/mu/500/psc/i...0/8445.mci.html

*****************************************

Download/unzip fix.reg which is attached to the bottom of this post.
Once unzipped,double click on fix.reg and agree to merge it into the registry,then restart your pc.

*****************************************

Download\install IE7:
http://www.microsoft.com/windows/downloads/ie/getitnow.mspx

*****************************************

Download Winpfind V2.0.2 and extract the contents to your desktop:
http://download.bleepingcomputer.com/oldtimer/winpfind.exe
Open the WinPFind folder and double click on Winpfind.exe
Leave the configuation settings as they are and click on 'Run Scan'.
The scan will take some time to complete so please be patient.
Once complete close the program.
Open the WinPFind folder,then copy and paste the entire content of winpfind.txt into your next reply.
*NOTE*
It may take more than one reply to post the whole winpfind.txt.

Let me know whats happening now please.
Posted Image
Posted Image

#11 aj2007

aj2007
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 29 April 2007 - 12:04 PM

Richie,

Thanks for the further advice but I am now in a real mess.

First IE7 would not download from the ms site you gave - it would not validate although the installed Windows is a genuine copy.

I managed to download IE 7 from Google - it validated OK but needed updates to be downloaded after rebooting.

Could not download updates as IE 7 would not connect - suspect hijacked.

In any case, I do not want IE7 - have tried it before and don't like the layout.

Can I restore to an earlier time without undoing any of your work so far ?

Next Winpfind.exe would not open - loads of error messages too difficult to record.

Now pretty fed up !

Regards,

Anthony

#12 aj2007

aj2007
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 29 April 2007 - 12:36 PM

Richie,

After I wrote the above reply, I tried IE 7 again and it worked once only going to Google Home Page. Also, favourites could be successfully called up. Then tried to log in to Windows Live Messenger but it would not - same problem as with IE6. Trief IE7 again, now being diverted again to same site as before.

Regards,

Anthony

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 29 April 2007 - 02:07 PM

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

*******************************

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*

Don't forget to re-enable your antivirus program.
Posted Image
Posted Image

#14 aj2007

aj2007
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 29 April 2007 - 02:42 PM

Richie,

I was unable to download Bitdefencer. When I use the link, the only option is to attempt to download IE7 again which fails because there is no validation code. If I paste the link into the existing IE7, it does not work because IE7 gets hijacked.

Here is the Fixwareout log:


Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"LogitechGalleryRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"SystemTraySD"="C:\\Program Files\\SpywareDetector\\SDSystemTray.exe -AUTO"
"SDAutoLiveupdate"="C:\\Program Files\\SpywareDetector\\LiveUpdateSD.exe -AUTO"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
@=""
"SBCSTray"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\SBCSTray.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Regards,

Anthony

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 29 April 2007 - 05:49 PM

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open,at the bottom of the window to the right of Attributes,check the box that says 'Read-only'.
4) Click Apply/OK.

*****************************

Download/install Mozilla Firefox:
http://www.mozilla.com/en-US/firefox/
Let me know if Firefox runs ok or not please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users