Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log Please Help Diagnose


  • This topic is locked This topic is locked
11 replies to this topic

#1 Blastedw0lf4

Blastedw0lf4

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 09 May 2007 - 12:10 PM

yea....couple of pop-ups annoying the bleep out of me...hopefully some1 can take a look at this log..

Thanks!!!

-------------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:06:46 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}\Update.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis!\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [{CC625743-0707-1033-0503-050811060001}] "C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}\Update.exe" mc-110-12-0001291
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: OrbThis - {0BF88E98-7ADC-44d6-8242-0BF87CD1BC14} - C:\Program Files\ORB Networks\OrbThis for IE\OrbIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001291 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:36 PM

Posted 10 May 2007 - 08:59 AM

Hi,

* Go to start > controlpanel > software > Add or Remove Programs and uninstall WebHancer.
Then reboot.

When a computer is infected, first thing you should do is scan with your Antivirus scanner and Antispywarescanner.
Unfortunately I see these are not even installed here :thumbsup:

I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo OR Kerio are FREE firewalls.

Understanding and using firewalls

Perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again.
After reboot, post a new HijackThislog in your next reply, so we can deal with the rest, because it really doesn't make sense that we try to clean this if you didn't do an effort to run a scan and at least install an Antivirus to prevent further infection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 15 May 2007 - 01:03 AM

k heres the latest hijack this post

Logfile of HijackThis v1.99.1
Scan saved at 1:57:09 AM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}\Update.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis!\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [{CC625743-0707-1033-0503-050811060001}] "C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}\Update.exe" mc-110-12-0001291
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: OrbThis - {0BF88E98-7ADC-44d6-8242-0BF87CD1BC14} - C:\Program Files\ORB Networks\OrbThis for IE\OrbIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001291 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#4 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 15 May 2007 - 01:03 AM

k heres the latest hijack this post

Logfile of HijackThis v1.99.1
Scan saved at 1:57:09 AM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}\Update.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis!\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [{CC625743-0707-1033-0503-050811060001}] "C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}\Update.exe" mc-110-12-0001291
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: OrbThis - {0BF88E98-7ADC-44d6-8242-0BF87CD1BC14} - C:\Program Files\ORB Networks\OrbThis for IE\OrbIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001291 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



k heres the latest hijack this post

Logfile of HijackThis v1.99.1
Scan saved at 1:57:09 AM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}\Update.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis!\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [{CC625743-0707-1033-0503-050811060001}] "C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}\Update.exe" mc-110-12-0001291
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: OrbThis - {0BF88E98-7ADC-44d6-8242-0BF87CD1BC14} - C:\Program Files\ORB Networks\OrbThis for IE\OrbIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001291 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:36 PM

Posted 15 May 2007 - 06:25 AM

Hello,

Go to start > controlpanel > software > add/remove programs and uninstall WebHancer.
Reboot afterwards. Important!

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [{CC625743-0707-1033-0503-050811060001}] "C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}\Update.exe" mc-110-12-0001291
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
<== it's a bad idea to let p2p programs startup with Winows
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001291 (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 15 May 2007 - 11:00 PM

alright when i go to add/remove programs and i look for 'webhancer' its not there...

but i did everything else and here r the posts

hijack this log

____________________________________________________________


Logfile of HijackThis v1.99.1
Scan saved at 11:55:56 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis!\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: OrbThis - {0BF88E98-7ADC-44d6-8242-0BF87CD1BC14} - C:\Program Files\ORB Networks\OrbThis for IE\OrbIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

and now the combo fix log

____________________________________________________________
Danny - 07-05-15 23:32:43.65 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\anti-spyware shyt"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Inetget2
C:\Program Files\Common Files\{3C625743-0707-1033-0503-050811060001}
C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Danny\Application Data\FNTS~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-15 to 2007-05-15 ))))))))))))))))))))))))))))))))))


2007-05-15 22:52 <DIR> d-------- C:\Program Files\GTR2
2007-05-15 15:28 <DIR> d-------- C:\WINDOWS\LastGood
2007-05-15 01:23 <DIR> d-------- C:\Program Files\Visual Pinball
2007-05-12 16:24 777,984 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-05-12 16:24 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-05-12 16:24 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-05-12 16:24 27,776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-05-12 16:24 19,840 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-05-12 16:24 <DIR> d-------- C:\Program Files\Grisoft
2007-05-12 16:24 <DIR> d-------- C:\Documents and Settings\Danny\Application Data\AVG7
2007-05-12 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-09 01:23 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-05-06 22:10 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-05-05 16:38 <DIR> d-------- C:\Program Files\SopCast
2007-05-05 16:38 <DIR> d-------- C:\Documents and Settings\Danny\Application Data\SopCast
2007-05-03 03:08 <DIR> d-------- C:\Program Files\zbattle.net
2007-05-03 02:11 <DIR> d-------- C:\Program Files\LucasArts
2007-05-02 22:00 <DIR> d-------- C:\Program Files\Ipwindows
2007-05-01 11:50 <DIR> d-------- C:\Program Files\Ares
2007-04-25 02:29 <DIR> d--h----- C:\WINDOWS\PIF


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-15 23:34 -------- d-------- C:\Program Files\Common Files
2007-05-15 23:30 -------- d-------- C:\Program Files\HijackThis!
2007-05-15 13:15 -------- d-------- C:\Documents and Settings\Danny\Application Data\Azureus
2007-05-11 19:05 -------- d-------- C:\Program Files\mIRC
2007-05-09 01:18 -------- d-------- C:\Program Files\Internet Explorer
2007-05-06 19:42 -------- d-------- C:\Documents and Settings\Danny\Application Data\dvdcss
2007-05-03 02:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2007-05-02 00:07 -------- d-------- C:\Program Files\Steam
2007-05-01 11:29 -------- d-------- C:\Program Files\LimeWire
2007-04-25 03:26 -------- d-------- C:\Program Files\Microsoft ActiveSync
2007-04-18 23:56 -------- d-------- C:\Program Files\Java
2007-04-16 22:45 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-04-16 22:45 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-04-16 22:45 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-04-16 22:45 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-04-16 22:45 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-04-16 22:45 1710936 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-04-11 00:33 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-04-11 00:33 249856 --------- C:\WINDOWS\Setup1.exe
2007-04-03 10:46 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll
2007-03-27 23:23 65536 --a--c--- C:\WINDOWS\IFinst27.exe
2007-03-27 01:35 -------- d-------- C:\Program Files\DivX
2007-03-25 17:26 -------- d-------- C:\Program Files\NetMeeting
2007-03-23 17:08 26240 --a------ C:\WINDOWS\system32\drivers\csrbcxp.sys
2007-03-21 07:56 -------- d-------- C:\Program Files\Common Files\InstallShield
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 10:07 -------- d-------- C:\Program Files\iTunes
2007-03-15 10:07 -------- d-------- C:\Program Files\iPod
2007-03-15 10:05 -------- d-------- C:\Program Files\QuickTime
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 13:45 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
2007-03-07 13:45 51712 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2007-03-07 13:45 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2007-03-07 13:45 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-03-07 13:45 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-03-07 13:45 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-03-07 13:45 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-03-07 13:45 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-03-07 13:45 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-03-07 13:45 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-03-07 13:45 105984 --a------ C:\WINDOWS\system32\url.dll
2007-03-07 13:45 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-03-07 04:28 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-02-28 05:10 2180352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 04:38 2057600 --a------ C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-27 04:20 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
2007-02-23 00:29 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-02-23 00:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 00:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-23 00:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-23 00:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-23 00:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-23 00:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-23 00:25 639066 --a------ C:\WINDOWS\system32\DivX.dll
2007-02-23 00:25 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-02-23 00:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-23 00:25 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-02-23 00:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-23 00:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-23 00:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-23 00:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-21 17:50 2 --a------ C:\WINDOWS\system32\wtssvit.exe
2007-02-21 04:00 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-02-15 21:40 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Orb"="\"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe\" /background"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"Steam"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,9c,00,00,00,00,00,00,00,64,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"_NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Danny^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path"="C:\\Documents and Settings\\Danny\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="\"C:\\Program Files\\LimeWire\\LimeWire.exe\" -startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DAEMON Tools"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DeadAIM"
"hkey"="HKLM"
"command"="\"rundll32.exe\" \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DIGServices"
"hkey"="HKLM"
"command"="C:\\Program Files\\ESPNRunTime\\DIGServices.exe /brand=ESPN /priority=0 /poll=24"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DIGStream"
"hkey"="HKLM"
"command"="C:\\Program Files\\DIGStream\\digstream.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Picasa Media Detector"
"hkey"="HKLM"
"command"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickTime Task"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Registry Cleaner Scheduler"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\CleanMyPC\\Registry Cleaner\\RCScheduler.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"c:\\program files\\steam\\steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TkBellExe"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: 07-05-15 23:34:17.42
C:\ComboFix.txt ... 07-05-15 23:34


thanks agen!!!!!!!

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:36 PM

Posted 16 May 2007 - 01:07 AM

Hi,

You are using an outdated version of Combofix. You were supposed to use the latest version.

Perform next step first please..

Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
hit enter.

REBOOT your computer.

After reboot, download the latest version from Combofix (from the link I posted) and run it.
Then, after reboot, post the combofixlog in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 16 May 2007 - 11:22 AM

alright done all your steps now here r the new logs..

Hijack this Log

Logfile of HijackThis v1.99.1
Scan saved at 12:15:22 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis!\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: OrbThis - {0BF88E98-7ADC-44d6-8242-0BF87CD1BC14} - C:\Program Files\ORB Networks\OrbThis for IE\OrbIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

____________________________________________________________

and the combo fix logs

"Danny" - 2007-05-16 12:00:15 Service Pack 2
ComboFix 07-05.13.2.V - Running from: "C:\anti-spyware shyt\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whAgent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\wtssvit.exe
C:\Program Files\ipwindows
C:\Program Files\webhancer
C:\WINDOWS\system32\drivers\core.sys


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\COM+ Messages
-------\core


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 ))))))))))))))))))))))))))))))))))


2007-05-15 22:52 <DIR> d-------- C:\Program Files\GTR2
2007-05-15 01:23 <DIR> d-------- C:\Program Files\Visual Pinball
2007-05-06 22:10 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-05-05 16:38 <DIR> d-------- C:\Program Files\SopCast
2007-05-05 16:38 <DIR> d-------- C:\DOCUME~1\Danny\APPLIC~1\SopCast
2007-05-03 03:08 <DIR> d-------- C:\Program Files\zbattle.net
2007-05-03 02:11 <DIR> d-------- C:\Program Files\LucasArts
2007-05-01 11:50 <DIR> d-------- C:\Program Files\Ares
2007-04-25 02:29 <DIR> d--h----- C:\WINDOWS\PIF


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-16 15:39:52 -------- d-----w C:\DOCUME~1\Danny\APPLIC~1\Azureus
2007-05-16 03:55:52 -------- d-----w C:\Program Files\HijackThis!
2007-05-11 23:05:09 -------- d-----w C:\Program Files\mIRC
2007-05-06 23:42:07 -------- d-----w C:\DOCUME~1\Danny\APPLIC~1\dvdcss
2007-05-03 06:11:59 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-02 04:07:01 -------- d-----w C:\Program Files\Steam
2007-05-01 15:29:35 -------- d-----w C:\Program Files\LimeWire
2007-04-25 07:26:03 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-11 04:33:18 249,856 ------w C:\WINDOWS\Setup1.exe
2007-04-11 04:33:15 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-03-28 03:23:04 65,536 -c--a-w C:\WINDOWS\IFinst27.exe
2007-03-27 05:35:34 -------- d-----w C:\Program Files\DivX
2007-03-23 21:08:58 26,240 ----a-w C:\WINDOWS\system32\drivers\csrbcxp.sys
2007-03-21 11:56:32 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 14:07:52 -------- d-----w C:\Program Files\iTunes
2007-03-15 14:07:40 -------- d-----w C:\Program Files\iPod
2007-03-15 14:05:30 -------- d-----w C:\Program Files\QuickTime
2007-03-12 04:14:18 -------- d-----w C:\DOCUME~1\Danny\APPLIC~1\DivX
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-23 04:29:58 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-02-23 04:29:49 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-02-23 04:29:49 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-02-23 04:25:24 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-02-23 04:25:24 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-02-23 04:25:23 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-02-23 04:25:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-02-23 04:25:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-02-23 04:25:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-02-23 04:25:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-02-23 04:25:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-02-23 04:25:19 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-02-23 04:25:19 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-02-23 04:25:19 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-02-23 04:25:19 639,066 ----a-w C:\WINDOWS\system32\DivX.dll
2007-02-16 01:40:35 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]
{601ED020-FB6C-11D3-87D8-0050DA59922B}=C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll [2004-08-18 14:35]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43]
"nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe])
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-24 20:48]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-11-06 04:27]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 15:24]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-12 16:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-04-06 20:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 23:36]
"Steam"="" [])

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Orb"="\"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe\" /background"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"Steam"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"!CleanupNetMeetingDispDriver"="\"C:\\WINDOWS\\system32\\rundll32.exe\" msconf.dll,CleanupNetMeetingDispDriver 0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"_NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^danny^start menu^programs^startup^limewire on startup.lnk
"C:\Program Files\LimeWire\LimeWire.exe" -startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aim
C:\Program Files\AIM\aim.exe -cnetwait.odl

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\daemon tools
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\deadaim
"rundll32.exe" "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\digservices
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\digstream
C:\Program Files\DIGStream\digstream.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picasa media detector
C:\Program Files\Picasa2\PicasaMediaDetector.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\registry cleaner scheduler
"C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\steam
"c:\program files\steam\steam.exe" -silent

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\Madden07.exe

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070515-233147-735
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
backup-20070515-233148-244
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001291 (file missing)
backup-20070515-233147-560
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
backup-20070515-233147-340
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
backup-20070515-233147-706
O4 - HKLM\..\Run: [{CC625743-0707-1033-0503-050811060001}] "C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}\Update.exe" mc-110-12-0001291
backup-20070102-000911-888
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C625~1\Bar888.dll (file missing)
backup-20070102-000911-131
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C625~1\Bar888.dll (file missing)
backup-20070102-000911-792
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000137 (file missing)
backup-20070102-000911-702
O4 - HKLM\..\Run: [{CC625743-0707-1033-0503-050811060001}] "C:\Program Files\Common Files\{CC625743-0707-1033-0503-050811060001}\Update.exe" mc-110-12-0000137
backup-20070102-000911-525
O4 - HKCU\..\Run: [uiow] C:\PROGRA~1\COMMON~1\uiow\uiowm.exe
backup-20070102-000911-493
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll (file missing)
backup-20070102-000911-881
O2 - BHO: (no name) - {B1AA7A55-C09F-CA38-BB49-9E6C23685196} - C:\WINDOWS\system32\pzvfu.dll (file missing)
backup-20060917-161802-975
O4 - HKCU\..\Run: [MSN Messenger] C:\WINDOWS\explorer..exe
backup-20060917-161802-992
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\explorer..exe
backup-20060917-040824-964
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
backup-20060917-040824-958
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
backup-20060917-040824-830
O15 - Trusted Zone: *.mmohsix.com
backup-20060917-040824-798
O4 - HKCU\..\Run: [MSN Messenger] C:\WINDOWS\explorer..exe
backup-20060917-040824-611
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\explorer..exe
backup-20060917-040824-296
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
backup-20060917-040824-193
O15 - Trusted Zone: *.media-motor.net
backup-20060624-181050-962
O4 - HKCU\..\Run: [Maep] "C:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe" -vt ndrv
backup-20060624-161808-924
O4 - HKCU\..\Run: [Maep] "C:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe" -vt ndrv
backup-20060624-161808-693
O4 - HKCU\..\Run: [Spe] C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
backup-20060624-155956-768
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
backup-20060624-155953-843
O4 - HKCU\..\Run: [Spe] C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
backup-20060624-142741-911
O4 - HKCU\..\Run: [Spe] C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
backup-20060624-142741-212
O4 - HKLM\..\Run: [ms04970365-865] C:\WINDOWS\ms04970365-865.exe
backup-20060624-142741-178
O4 - HKCU\..\Run: [Maep] "C:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe" -vt ndrv
backup-20060624-142741-817
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20060624-142741-808
R3 - URLSearchHook: (no name) - {5F217341-CC82-9774-A560-9C1CF5EFE4CF} - (no file)
backup-20060623-204259-612
O4 - HKCU\..\Run: [Spe] C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
backup-20060623-204259-520
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rjkrc.exe
backup-20060623-204259-437
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cervmbi.exe
backup-20060623-204259-216
O4 - HKCU\..\Run: [Maep] "C:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe" -vt ndrv
backup-20051025-113040-864
O4 - HKLM\..\Run: [] winlog.exe
backup-20051025-113040-392
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
backup-20051025-113040-809
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
backup-20051025-113040-546
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
backup-20051025-113040-193
O4 - HKLM\..\RunServices: [] winlog.exe
backup-20051025-113040-227
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20051025-113040-832
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
backup-20051025-113040-990
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\XoftSpy.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-16 12:04:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-16 12:06:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-16 12:06



1999-12-23 09:12	  11264	--a--c---	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\sporder.dll.vir
2006-11-16 04:33	  249856	--a--c---	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whinstaller.exe.vir
2006-11-16 04:36	  114688	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\webhdll.dll.vir
2006-11-16 04:36	  151552	--a--c---	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whiehlpr.dll.vir
2006-11-16 04:37	  565248	--a--c---	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whagent.exe.vir
2006-12-30 07:47	  211	--a--c---	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whAgent.ini.vir
2006-12-30 19:29	  910	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\unsvchosts.lzma.vir
2007-02-21 17:50	  2	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wtssvit.exe.vir
2007-05-09 01:23	  162344	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
2007-05-09 01:23	  72320	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir
2007-05-16 12:02	  1220	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
2007-05-16 12:02	  2850	--a------	C:\Qoobox\Quarantine\Registry_backups\services_COM+ Messages.reg.cf
2007-05-16 12:02	  832	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf
2007-05-16 12:02	  846	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_COM+_MESSAGES.reg.cf
2007-05-16 12:02	  862	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf
2007-05-16 12:02	  994	--a------	C:\Qoobox\Quarantine\Registry_backups\services_core.reg.cf


Folder PATH listing
Volume serial number is CC62-5743
C:\QOOBOX
\---Quarantine
	+---C
	|   +---Program Files
	|   |   \---webHancer
	|   |	   \---Programs
	|   |			   sporder.dll.vir
	|   |			   webhdll.dll.vir
	|   |			   whagent.exe.vir
	|   |			   whAgent.ini.vir
	|   |			   whiehlpr.dll.vir
	|   |			   whinstaller.exe.vir
	|   |			   
	|   \---WINDOWS
	|	   \---system32
	|		   |   unsvchosts.lzma.vir
	|		   |   wtssvit.exe.vir
	|		   |   
	|		   \---drivers
	|				   core.cache.dsk.vir
	|				   core.sys.vir
	|				   
	\---Registry_backups
			LEGACY_CMDSERVICE.reg.cf
			LEGACY_COM+_MESSAGES.reg.cf
			LEGACY_CORE.reg.cf
			LEGACY_NETWORK_MONITOR.reg.cf
			services_COM+ Messages.reg.cf
			services_core.reg.cf


#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:36 PM

Posted 16 May 2007 - 11:29 AM

Hello,

Combofix already solved your problems - see why it was so important you used the latest version? :thumbsup:
Anyway, your logs look clean again.
Let me know in your next reply how things are now. Popups should be gone normally.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 16 May 2007 - 02:42 PM

yes mam no more pop-ups..i do thank you for taking your time in helping me...if i recall correctly you helped me 1nce b4 lol...i guess its a small world...anyway thank you agen and cheers!

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:36 PM

Posted 16 May 2007 - 02:54 PM

Yes, I actually helped you already 2 times before - lol:
http://www.bleepingcomputer.com/forums/t/65084/please-help-diagnose/ <== that was a nasty one
http://www.bleepingcomputer.com/forums/t/33557/hjt-log-file-please-help-diagnose/

Anyway, it seems like you manage to get infected every two months :thumbsup:
So I can't stress enough how important it is you read my prevention page here, this to prevent this in the future - because I guess you never read the prevention tips previously, otherwise this wouldn't have happened...
Actually, you were still lucky that we were able to help you - but in some cases, the huge malware bundles may damage so much that a format and a reinstall is the only solution.
So please stay away from illegal sites and illegal software.

And keep this system clean :flowers:

Edited by miekiemoes, 16 May 2007 - 02:54 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:36 PM

Posted 18 May 2007 - 07:14 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users