Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Relentless Popups With Ie - Tried Everything?


  • This topic is locked This topic is locked
9 replies to this topic

#1 e_burrell

e_burrell

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 15 May 2007 - 12:02 AM

[font=Garamond]

I am having a ton of trouble locating/fixing relentless popups within Internet Explorer. I've run AVG Virus, Ad-Aware SE Personal, Spyware Doctor, Rogue Remover, Spybot Search/Destroy, and Bit Defender. All have found various issues and corrected them, but I'm still having my popup issues.

Internet Explorer will slow down and eventually just cease to run. I've gone through your preparation guide step by step and done what was asked. Please also note that while running Spyware Doctor, it would notify me almost constantly of the following .dll files trying to gain access winlogon (mllji.dll, jkkjj.dll, gebyy.dll).

Here's my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:28 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\mtabppyi.dll",realset
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Doyles Room Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DOYLES~1\client.exe
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...w.viewpoint.com
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.nlctheatres.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes...ab?ver=1,1,0,32
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14f6ea2bb8686e...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145839962334
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145839955771
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co...X.cab?9,0,712,0
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03...all/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)



I would be VERY appreciative if someone could look through this and tell me what exactly I should do. Thanks a million.

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 15 May 2007 - 03:38 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum e_burrell :thumbsup:

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


************************

Now go to:
C:\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 e_burrell

e_burrell
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 15 May 2007 - 08:08 AM

Thanks for the help. Please note that I received the following error after running vundofix and rebooting: "Error Loading C:/windows/system32/mtabppyi.dll The specified module could not be found". Let me know if it looks like we're now clean, or if I'll need to do anything else. Thanks again for getting back to me so quickly!

Eli



VundoFix V6.3.21

Checking Java version...

Scan started at 8:05:21 PM 5/13/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini2
C:\WINDOWS\system32\oqtwa.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtqo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\oqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtwa.ini2
C:\WINDOWS\system32\oqtwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtwa.tmp
C:\WINDOWS\system32\oqtwa.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Scan started at 11:40:52 PM 5/13/2007

Listing files found while scanning....

C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\geeby.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Scan started at 12:11:34 PM 5/14/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.3.23

Checking Java version...

Scan started at 7:24:11 AM 5/15/2007

Listing files found while scanning....

C:\WINDOWS\system32\akroemgn.dll
C:\WINDOWS\system32\dfvyidrd.dll
C:\WINDOWS\system32\drdiyvfd.ini
C:\WINDOWS\system32\gyfrbrpl.dll
C:\WINDOWS\system32\iqckvryy.ini
C:\WINDOWS\system32\iyppbatm.ini
C:\WINDOWS\system32\lprbrfyg.ini
C:\WINDOWS\system32\mtabppyi.dll
C:\WINDOWS\system32\ngmeorka.ini
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\yyrvkcqi.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\akroemgn.dll
C:\WINDOWS\system32\akroemgn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfvyidrd.dll
C:\WINDOWS\system32\dfvyidrd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\drdiyvfd.ini
C:\WINDOWS\system32\drdiyvfd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gyfrbrpl.dll
C:\WINDOWS\system32\gyfrbrpl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iqckvryy.ini
C:\WINDOWS\system32\iqckvryy.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\iyppbatm.ini
C:\WINDOWS\system32\iyppbatm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\lprbrfyg.ini
C:\WINDOWS\system32\lprbrfyg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mtabppyi.dll
C:\WINDOWS\system32\mtabppyi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ngmeorka.ini
C:\WINDOWS\system32\ngmeorka.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pmkhg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyrvkcqi.dll
C:\WINDOWS\system32\yyrvkcqi.dll Has been deleted!

Performing Repairs to the registry.
Done!




"Eli&Polly" - 2007-05-15 7:43:33 Service Pack 2
ComboFix 07-05.15.5.V - Running from: "C:\Documents and Settings\Eli&Polly\Desktop\"

/wow section - STAGE #7B

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\bwurhgii.dll
C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\tuvutrr.dll
C:\WINDOWS\system32\tuvvtqp.dll
C:\WINDOWS\system32\ijjlm.bak1
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\efcyvuv.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\DOCUME~1\ELI\ntuser.ini
C:\DOCUME~1\ELI\vundofix.txt
C:\Temp\17O7\tmpTF.log
C:\WINDOWS\system32\drivers\npf.sys
C:\DOCUME~1\ELI
C:\WINDOWS\system32\smpi1
C:\Temp\17O7


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\LEGACY_NPF
-------\nm
-------\NPF


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-15 ))))))))))))))))))))))))))))))))))


2007-05-15 07:42 1,083,455 --a------ C:\ComboFix.exe
2007-05-14 23:57 <DIR> d-------- C:\HijackThis
2007-05-14 22:25 1,893,383 --a------ C:\stinger.exe
2007-05-14 22:04 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-05-14 20:01 <DIR> d-------- C:\DOCUME~1\ELI&PO~1\.housecall6.6
2007-05-14 16:23 <DIR> d-------- C:\DOCUME~1\ELI&PO~1\APPLIC~1\SpywareBot
2007-05-14 15:48 1,465,795 ---hs---- C:\WINDOWS\system32\ghkmp.bak1
2007-05-14 13:09 1,465,712 ---hs---- C:\WINDOWS\system32\yybeg.bak1
2007-05-14 11:50 1,465,752 ---hs---- C:\WINDOWS\system32\jjkkj.bak1
2007-05-14 11:11 1,465,752 ---hs---- C:\WINDOWS\system32\kmllm.bak1
2007-05-14 04:22 1,469,090 ---hs---- C:\WINDOWS\system32\wyadd.ini2
2007-05-13 22:17 3,032 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-13 22:16 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-13 22:16 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-13 22:16 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-13 20:19 <DIR> d-------- C:\Program Files\RogueRemover
2007-05-13 20:05 <DIR> d-------- C:\VundoFix Backups
2007-05-13 18:04 <DIR> d-------- C:\ComboFixT
2007-05-13 14:19 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-05-13 14:19 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-13 14:19 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-05-13 14:19 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-13 14:19 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-05-13 14:19 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-05-13 14:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-05-13 14:19 <DIR> d-------- C:\DOCUME~1\ELI&PO~1\APPLIC~1\PC Tools
2007-05-13 14:17 19,731,496 --a------ C:\sdsetup.exe
2007-05-12 23:00 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-12 23:00 <DIR> d-------- C:\Temp
2007-05-06 22:46 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-05-06 22:46 <DIR> d-------- C:\Program Files\Common Files\Remote Control USB Driver
2007-05-06 22:45 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-05-06 22:42 54,654,008 --a------ C:\LogitechHarmonyRemote7.3.0-WIN-x86.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-15 04:27:57 -------- d-----w C:\DOCUME~1\ELI&PO~1\APPLIC~1\DVD Profiler
2007-05-15 03:37:10 -------- d-----w C:\Program Files\DVD Profiler
2007-05-15 02:56:12 -------- d-----w C:\Program Files\PowerDVD
2007-05-15 01:04:46 -------- d-----w C:\Program Files\messenger
2007-05-14 00:51:35 -------- d-----w C:\Program Files\RegScrubXP
2007-05-13 19:44:14 -------- d---a-w C:\Program Files\Lycos
2007-05-13 17:45:18 -------- d-----w C:\Program Files\Viewpoint
2007-05-13 17:44:36 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-13 17:44:36 -------- d-----w C:\Program Files\Logitech
2007-05-13 13:24:54 -------- d-----w C:\Program Files\DC++
2007-05-13 01:17:41 -------- d-----w C:\Program Files\QuickTime
2007-04-07 22:40:55 8,722 ----a-w C:\WINDOWS\hh.dat
2007-04-07 16:31:59 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-04-01 07:04:52 -------- d-----w C:\DOCUME~1\ELI&PO~1\APPLIC~1\dvdcss
2007-03-22 06:08:52 -------- d-----w C:\Program Files\LucasArts
2007-03-21 04:20:11 27,307 ----a-w C:\WINDOWS\mozver.dat
2007-03-21 04:10:11 -------- d-----w C:\Program Files\Metalex Soft
2007-03-19 08:09:43 -------- d-----w C:\Program Files\Netflix
2007-03-19 03:28:54 -------- d-----w C:\Program Files\SlySoft
2007-03-19 02:58:43 -------- d-----w C:\DOCUME~1\ELI&PO~1\APPLIC~1\RipIt4Me
2007-03-17 23:05:44 -------- d-----w C:\Program Files\iTunes
2007-03-17 23:05:40 -------- d-----w C:\Program Files\iPod
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 12:02]
{0C85D8FA-9E82-4A57-962B-E44A1A94B704}=C:\WINDOWS\system32\awtqo.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\common\yiesrvc.dll [2005-05-26 12:39]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\common\YIeTagBm.dll [2005-01-24 10:55]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{8618D131-72CD-40F9-8300-C06A6629E979}=C:\WINDOWS\system32\mljji.dll []
{A80C4EA6-1685-4F03-9F3D-03FDC3A6F57C}=C:\WINDOWS\system32\gebyy.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{C56CB6B0-0D96-11D6-8C65-B2868B609932}=C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll [2004-07-19 21:16]
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}=C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 18:07]
{F2E4D23A-87B5-41F4-9488-2BF8822BEDA3}=C:\WINDOWS\system32\pmkhg.dll []


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-21 04:06]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 15:02]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-26 15:36]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 20:09]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe" [2002-09-04 10:28]
"WindowsUpdate"="C:\WINDOWS\system32\mtabppyi.dll" []
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 12:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 17:43]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-15 16:24]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-06 16:48]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
Shell=Explorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\gebyy]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\jkkjj]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mljji]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mllmk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\vtstq]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\WgaLogon\Settings]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
HTTPFilter HTTPFilter
DcomLaunch DcomLaunch TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1057803113.job
C:\WINDOWS\tasks\McAfee.com Update Check (BURRELL-Eli&Polly).job
C:\WINDOWS\tasks\McAfee.com Update Check (BURRELL-Eli).job
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-15 07:54:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\Eli&Polly\My Documents\My Music\In search of..\In search of..
C:\Documents and Settings\Eli&Polly\My Documents\My Music\In search of..\In search of..\Provider.mp3 6389760 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2


********************************************************************

Completion time: 2007-05-15 7:57:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-15 07:57



Logfile of HijackThis v1.99.1
Scan saved at 8:01:04 AM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0C85D8FA-9E82-4A57-962B-E44A1A94B704} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8618D131-72CD-40F9-8300-C06A6629E979} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: (no name) - {A80C4EA6-1685-4F03-9F3D-03FDC3A6F57C} - C:\WINDOWS\system32\gebyy.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {F2E4D23A-87B5-41F4-9488-2BF8822BEDA3} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\mtabppyi.dll",realset
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Doyles Room Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DOYLES~1\client.exe
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...w.viewpoint.com
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.nlctheatres.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes...ab?ver=1,1,0,32
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14f6ea2bb8686e...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145839962334
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145839955771
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co...X.cab?9,0,712,0
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03...all/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: gebyy - C:\WINDOWS\
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\
O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll (file missing)
O20 - Winlogon Notify: mllmk - C:\WINDOWS\
O20 - Winlogon Notify: vtstq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 15 May 2007 - 08:20 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\ghkmp.bak1
C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\kmllm.bak1
C:\WINDOWS\system32\wyadd.ini2
C:\WINDOWS\system32\mtabppyi.dll

Folders to delete:
C:\Program Files\Viewpoint
C:\Program Files\SpywareBot

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 e_burrell

e_burrell
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 15 May 2007 - 10:53 AM

Ok, here goes. Still getting the error message upon reboot.


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ygdfbado

*******************

Script file located at: \??\C:\Documents and Settings\amxtbtlx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\ghkmp.bak1 deleted successfully.
File C:\WINDOWS\system32\yybeg.bak1 deleted successfully.
File C:\WINDOWS\system32\jjkkj.bak1 deleted successfully.
File C:\WINDOWS\system32\kmllm.bak1 deleted successfully.
File C:\WINDOWS\system32\wyadd.ini2 deleted successfully.


File C:\WINDOWS\system32\mtabppyi.dll not found!
Deletion of file C:\WINDOWS\system32\mtabppyi.dll failed!

Could not process line:
C:\WINDOWS\system32\mtabppyi.dll
Status: 0xc0000034

Folder C:\Program Files\Viewpoint deleted successfully.


Folder C:\Program Files\SpywareBot not found!
Deletion of folder C:\Program Files\SpywareBot failed!

Could not process line:
C:\Program Files\SpywareBot
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 10:49:47 AM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0C85D8FA-9E82-4A57-962B-E44A1A94B704} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8618D131-72CD-40F9-8300-C06A6629E979} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: (no name) - {A80C4EA6-1685-4F03-9F3D-03FDC3A6F57C} - C:\WINDOWS\system32\gebyy.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {F2E4D23A-87B5-41F4-9488-2BF8822BEDA3} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\mtabppyi.dll",realset
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Doyles Room Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DOYLES~1\client.exe
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...w.viewpoint.com
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.nlctheatres.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes...ab?ver=1,1,0,32
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14f6ea2bb8686e...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145839962334
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145839955771
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co...X.cab?9,0,712,0
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03...all/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: gebyy - C:\WINDOWS\
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\
O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll (file missing)
O20 - Winlogon Notify: mllmk - C:\WINDOWS\
O20 - Winlogon Notify: vtstq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 15 May 2007 - 11:21 AM

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0C85D8FA-9E82-4A57-962B-E44A1A94B704} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {8618D131-72CD-40F9-8300-C06A6629E979} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: (no name) - {A80C4EA6-1685-4F03-9F3D-03FDC3A6F57C} - C:\WINDOWS\system32\gebyy.dll (file missing)
O2 - BHO: (no name) - {F2E4D23A-87B5-41F4-9488-2BF8822BEDA3} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\mtabppyi.dll",realset
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.nlctheatres.com/CFIDE/classes/CFJava.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O20 - Winlogon Notify: gebyy - C:\WINDOWS\
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\
O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll (file missing)
O20 - Winlogon Notify: mllmk - C:\WINDOWS\
O20 - Winlogon Notify: vtstq - C:\WINDOWS\


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#7 e_burrell

e_burrell
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 15 May 2007 - 04:36 PM

Seems to have found a bunch of stuff and (?) cleaned it. Haven't had any popups since. Do I look clean?


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:22:37 PM 5/15/2007

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\system32\efcyvuv.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvutrr.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvvtqp.dll.vir -> Adware.Virtumonde : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@blockbuster.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@hollywoodentertainment.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@livemercial.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.111:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.114:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.115:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.118:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.199:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.200:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@4.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@track.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.182:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.183:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.184:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.185:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.186:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.94:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.154:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.98:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.95:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.96:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.97:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.99:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.58:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.59:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.60:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.861:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.862:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@ehg-traderelectronicmedia.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
:mozilla.151:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned.
:mozilla.152:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned.
:mozilla.153:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.790:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.131:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.71:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.156:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.590:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.591:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.592:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.759:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.113:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.116:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.117:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.119:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.49:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.50:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.52:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.53:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.54:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.741:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.797:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.134:C:\Documents and Settings\Eli&Polly\Application Data\Mozilla\Firefox\Profiles\50ele9io.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Eli&Polly\Cookies\eli&polly@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\EnsignGames\DS\DreamStripper-Start.exe -> Trojan.Small : Cleaned.
C:\Program Files\EnsignGames\DreamStripper\DreamStripper-Start.exe -> Trojan.Small : Cleaned.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 4:27:34 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\abc.bat
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Doyles Room Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DOYLES~1\client.exe
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...w.viewpoint.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes...ab?ver=1,1,0,32
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14f6ea2bb8686e...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145839962334
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145839955771
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co...X.cab?9,0,712,0
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03...all/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 15 May 2007 - 05:41 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
C:\ComboFix.exe
C:\QooBox
C:\Vundofix.exe
C:\VundoFix Backups
C:\ComboFixT
C:\Avenger

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#9 e_burrell

e_burrell
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 16 May 2007 - 01:32 AM

Thank you so much. About an hour now and no popups. You rule!

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 16 May 2007 - 01:55 AM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users