Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can This Computer Be Saved?


  • Please log in to reply
20 replies to this topic

#1 Bamad

Bamad

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 16 May 2007 - 08:46 PM

Hi,
Recently I was asked to look at my boss's son's computer which was having problems. I first noticed that Norton's anti-virus was disabled with definitions from 2005. Ad-Aware and Spy-Bot were outdated too and there was no active firewall. I'm having a hard time getting this computer connected to the internet so I ran Ad-Aware and Spy-bot with the outdated definitions and removed numerous infections. I have a copy of AVG on a USB drive that I installed and ran. In the hour that AVG ran before going home it found 17 infections (mainly trojans)
Took the computer home and ran AVG again with a complete scan and found 141 more infections. I then installed via USB drive a copy of AVG anti-spyware and ran. It found over 1700 infections. I did manually update AVG, Ad-Aware and Spy-Bot and ran them. All have removed various infections but keep finding new if I run them again. This computer still takes a long time to load and I get an "IE_updater has encountered a problem and must close" error and a runtime error "Program C:\WINDOWS\system32\nwinrpdv.exe" abnormal program termination. This computer is still not connected to the internet but using a USB drive and my computer I can get files installed. HiJackThis log follows.

Thank You for your time.

Logfile of HijackThis v1.99.1
Scan saved at 8:01:33 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,fnswxex.exe
O2 - BHO: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [dbygnv] C:\WINDOWS\system32\djuonx.exe reg_run
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cra.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\micro1\z6.exe SKY003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinrpdv.exe CORN004
O4 - HKLM\..\Run: [Svcs: Dnscache] C:\DOCUME~1\John\LOCALS~1\Temp\22683\explorer.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ywgho] C:\WINDOWS\system32\djuonx.exe reg_run
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\micro1\z6.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\nwinrpdv.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jsiuipc.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C17E994-D3FD-43AF-A3E8-BE5657E73095}: NameServer = 192.168.1.1
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxx.dll
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\ie_updater.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

BC AdBot (Login to Remove)

 


#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:49 PM

Posted 17 May 2007 - 05:44 AM

Go to http://www.virustotal.com/en/indexf.html and upload the following file:

c:\windows\system32\jsiuipc.dll

Post the results of it here.


* Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
4. Run Goldun fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread with the results of Virustotal.

Greets Jürgenv

Donation: Click me.

#3 Bamad

Bamad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 18 May 2007 - 08:22 AM

jurgenv,
Since I can't get this computer connected to the internet yet I copied the jsiuipc.dll to my computer to upload. AVG immediately detected a threat (trojan horse PSW.generic4.EPS) and healed it. So uploading to Virustotal is going to be difficult. I downloaded Haxfix and ran it. The log file that it created is 890kb should I still post it or break it up and attach it?

#4 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:49 PM

Posted 18 May 2007 - 08:31 AM

Attach it here. :thumbsup: But first do this:

* Please download LSPfix from here:
http://www.downloads.subratam.org/lspfix.zip
Unzip it to the desktop and run it. Check "I know what I'm doing", and then select each instance of "jsiuipc.dll" in the left-hand panel and click >> to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.
Greets Jürgenv

Donation: Click me.

#5 Bamad

Bamad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 18 May 2007 - 09:49 AM

jurgenv
I downloaded and ran lspfix. It found 1 instance of jsiuipc.dll and removed it. The result window said "47 Protocol provider entries removed".
The zip file of the haxfix log is attached.

Attached Files



#6 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:49 PM

Posted 18 May 2007 - 10:34 AM

  • Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
  • Close all other open windows since this step requires a reboot
  • Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.
  • Close all open windows except the red dos window from haxfix and then press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of that logfile along with a new HijackThis log.
* Download Rustbfix from one of these locations:
http://www.uploads.ejvindh.net/rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
Greets Jürgenv

Donation: Click me.

#7 Bamad

Bamad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 18 May 2007 - 12:30 PM

Thanks for all your help so far,

I ran fix.bat option 2 and got the message "No haxdoor Goldun infection found" then took me back to the main menu. I downloaded and ran Rustbfix. It generated pelog.txt but did not reboot The pelog.txt follows. I also copied the haxfix.txt. There was no avenger.txt

************************* Rustock.b-fix -- By ejvindh *************************
Fri 05/18/2007 12:44:49.67

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
:lzx32.sy_ 78222
Total size: 78222 bytes.
Attempting to remove ADS...
system32: deleted 78222 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************


HAXFIX logfile - by Marckie

version 4.43
Fri 05/18/2007 12:42:21.12

--- Auto Haxdoorfix ---


searching for files:

no infections found


--- Goldunfix ---


searching for files:


checking iexplore.exe
iexplore.exe is not infected

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found


Finished

A current HJT log
Logfile of HijackThis v1.99.1
Scan saved at 12:55:04 PM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\notepad.exe
C:\Hijack\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,fnswxex.exe
O2 - BHO: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [dbygnv] C:\WINDOWS\system32\djuonx.exe reg_run
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cra.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\micro1\z6.exe SKY003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinrpdv.exe CORN004
O4 - HKLM\..\Run: [Svcs: Dnscache] C:\DOCUME~1\John\LOCALS~1\Temp\22683\explorer.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ywgho] C:\WINDOWS\system32\djuonx.exe reg_run
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\micro1\z6.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\nwinrpdv.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C17E994-D3FD-43AF-A3E8-BE5657E73095}: NameServer = 192.168.1.1
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxx.dll
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\ie_updater.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

#8 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:49 PM

Posted 18 May 2007 - 03:01 PM

1. Download this file - combofix.exe[/color]
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Greets Jürgenv

Donation: Click me.

#9 Bamad

Bamad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 18 May 2007 - 06:26 PM

Hi jurgenv!

Downloaded combofix and ran. Combofix rebooted the computer and started to create the log file. Then the computer rebooted again. Using windows explorer went to look for the combofix log file and the computer rebooted again. This time I started in safe mode and found a combofix.txt.bat file in the root dir. I ran this and it created the combofix.txt file. I copied this file to my USB drive and rebooted to normal mode, ran HiJackThis, found the txt file, copied to my USB drive, and the computer rebooted again. Now it has been working without rebooting for over 15 min. Also when it does boot Windows loads much faster then before. The log files you asked for follows.

Combofix text file

"Owner" - 2007-05-18 18:32:57 Service Pack 2
ComboFix 07-05.17.6.V - Running from: "C:\Documents and Settings\Owner\Desktop\"


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))



No infected Qoologic files found. Reg entries were fixed


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard131.dat
C:\WINDOWS\keyboard141.dat
C:\WINDOWS\keyboard151.dat
C:\WINDOWS\keyboard161.dat
C:\WINDOWS\keyboard171.dat
C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtsmt.dll
C:\WINDOWS\system32\pfxzmtsmtspm.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\system32\RunOnce3.tm_
C:\WINDOWS\system32\RunOnce3.t__
C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat
C:\DOCUME~1\NETWOR~1\APPLIC~1\Install.dat
C:\DOCUME~1\Owner\APPLIC~1\Dxcuknwrd.dll
C:\WINDOWS\703764609.exe
C:\WINDOWS\704966125.exe
C:\WINDOWS\706167031.exe
C:\WINDOWS\707367906.exe
C:\WINDOWS\708568765.exe
C:\WINDOWS\709769656.exe
C:\WINDOWS\710970750.exe
C:\WINDOWS\712171593.exe
C:\WINDOWS\713372578.exe
C:\WINDOWS\714573578.exe
C:\WINDOWS\715774484.exe
C:\WINDOWS\716975390.exe
C:\WINDOWS\718176203.exe
C:\WINDOWS\719377921.exe
C:\WINDOWS\720578828.exe
C:\WINDOWS\721779718.exe
C:\WINDOWS\725423000.exe
C:\WINDOWS\764.exe
C:\WINDOWS\system32\max1d164v.exe
C:\Program Files\Common Files\misc001\webhc1.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\Program Files\Common Files\{34EC3~1\Bar888.dll
C:\Program Files\Common Files\{34EC3~1\UnInstall.exe
C:\WINDOWS\system32\bk.exe
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\wapisvit.exe
C:\Documents and Settings\All Users\..\ie_updater.exe
C:\WINDOWS\system32\jsiuipc.dll
C:\Program Files\Common Files\misc001
C:\Program Files\ipwindows
C:\WINDOWS\system32\bund1
C:\Program Files\Common Files\{34EC3~1
C:\Program Files\Common Files\{74EC3~1
C:\WINDOWS\system32\a3dxx.dll
C:\cp1041.nls
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\ECURIT~1
C:\qoobox\purity\C\Program Files\Common Files\SCURIT~1
C:\qoobox\purity\C\WINDOWS\system32\PPPATC~1
C:\qoobox\purity\C\WINDOWS\system32\STEM~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DRIVERPP
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NEW_DRV
-------\LEGACY_NTLDR.SYS
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Client IP-IPX
-------\driverpp
-------\ntldr.sys


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-18 ))))))))))))))))))))))))))))))))))


2007-05-18 12:44 <DIR> d----c--- C:\Rustbfix
2007-05-17 22:48 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2007-05-17 22:48 9,006 --a--c--- C:\clean.bat
2007-05-17 22:48 86,528 --a------ C:\WINDOWS\system32\catchme.exe
2007-05-17 22:48 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-05-17 22:48 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-04-29 19:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-29 19:12 <DIR> d-------- C:\Program Files\RegCure
2007-04-28 20:59 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-27 23:07 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-04-27 23:01 2,456 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-27 21:30 <DIR> d----c--- C:\VundoFix Backups
2007-04-27 18:36 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-04-27 14:19 <DIR> d----c--- C:\Hijack
2007-04-27 13:57 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2007-04-27 13:57 32,768 --a------ C:\WINDOWS\system32\GTGina.dll
2007-04-27 13:57 245,504 --a------ C:\WINDOWS\system32\rt73.sys
2007-04-27 13:57 245,504 --a------ C:\WINDOWS\system32\drivers\rt73.sys
2007-04-27 13:57 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-04-27 13:57 2,048 --a------ C:\WINDOWS\system32\rt73.bin
2007-04-27 13:57 2,048 --a------ C:\WINDOWS\system32\drivers\rt73.bin
2007-04-27 13:57 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2007-04-27 13:57 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2007-04-27 13:57 17,992 --a------ C:\WINDOWS\bcm42rly.sys
2007-04-27 13:57 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys
2007-04-27 13:57 <DIR> d-------- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2007-04-23 22:22 135,432 --a------ C:\WINDOWS\system32\abcdefgh.dll
2007-04-19 12:35 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-04-19 12:34 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-18 22:20:36 -------- d-----w C:\Program Files\Plaxo
2007-05-11 21:17:10 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-10 00:52:45 -------- d-----w C:\Program Files\Symantec
2007-05-09 03:26:32 -------- d-----w C:\Program Files\QuickTime
2007-05-09 03:26:32 -------- d-----w C:\Program Files\Multimedia Card Reader
2007-05-09 03:26:32 -------- d-----w C:\Program Files\iTunes
2007-05-09 03:26:31 -------- d-----w C:\Program Files\SymNetDrv
2007-05-09 02:00:20 4 ----a-w C:\WINDOWS\system32\stfv.bin
2007-05-08 22:10:55 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-08 21:19:49 12 ----a-w C:\WINDOWS\system32\sl.bin
2007-04-29 03:56:51 -------- d-----w C:\Program Files\Norton AntiVirus
2007-04-29 03:34:16 -------- d-----w C:\Program Files\Viewpoint
2007-04-28 01:19:32 -------- d-----w C:\Program Files\Common Files\mmfo
2007-04-27 17:57:18 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-27 01:17:53 401 ----a-w C:\WINDOWS\cebue.dll
2007-04-24 01:55:43 281,348 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2007-04-23 00:28:51 106,496 ----a-w C:\WINDOWS\Sloopy7.exe
2007-04-23 00:28:28 932 ----a-w C:\WINDOWS\system32\winpfz32.sys
2007-04-17 22:11:22 -------- d-----w C:\Program Files\AIM
2007-04-17 00:10:08 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Aim
2007-04-14 21:33:32 18,432 ----a-w C:\WINDOWS\sysrlb32.exe
2007-04-14 21:21:49 -------- d-----w C:\Program Files\SpywareBlaster
2007-04-14 21:09:53 184,428 ----a-w C:\WINDOWS\system32\nwinrpdv.exe
2007-04-14 17:20:45 27,904 ----a-w C:\WINDOWS\vxddsk.exe
2007-04-14 17:20:44 29,952 ----a-w C:\WINDOWS\satmat.exe
2007-04-14 17:20:44 18,688 ----a-w C:\WINDOWS\system32\vxddsk.exe
2007-04-14 17:20:44 16,384 ----a-w C:\WINDOWS\wml.exe
2007-04-14 17:20:44 14,336 ----a-w C:\WINDOWS\system32\wml.exe
2007-04-14 17:20:43 29,696 ----a-w C:\WINDOWS\flt.dll
2007-04-14 17:20:43 11,008 ----a-w C:\WINDOWS\7search.dll
2007-04-14 17:20:42 29,184 ----a-w C:\WINDOWS\pbar.dll
2007-04-14 17:20:40 9,472 ----a-w C:\WINDOWS\stcloader.exe
2007-04-14 17:20:40 32,000 ----a-w C:\WINDOWS\voiceip.dll
2007-04-14 17:20:40 28,416 ----a-w C:\WINDOWS\cdsm32.dll
2007-04-14 17:20:40 17,408 ----a-w C:\WINDOWS\swin32.dll
2007-04-14 17:20:39 26,624 ----a-w C:\WINDOWS\bokja.exe
2007-04-14 17:20:38 17,920 ----a-w C:\WINDOWS\mspphe.dll
2007-04-14 17:20:38 12,288 ----a-w C:\WINDOWS\bjam.dll
2007-04-14 17:20:37 9,728 ----a-w C:\WINDOWS\salm.exe
2007-04-14 17:20:37 29,696 ----a-w C:\WINDOWS\system32\WER8274.DLL
2007-04-14 17:20:37 28,416 ----a-w C:\WINDOWS\updatetc.exe
2007-04-14 17:20:37 15,872 ----a-w C:\WINDOWS\system32\MSIXU.DLL
2007-04-14 17:20:37 13,056 ----a-w C:\WINDOWS\180ax.exe
2007-04-14 17:20:36 19,712 ----a-w C:\WINDOWS\saiemod.dll
2007-04-14 17:20:27 12 ----a-w C:\WINDOWS\system32\gtv_sd.bin
2007-04-04 21:01:06 106,539 ------w C:\WINDOWS\qommjj.dll
2007-04-04 19:01:05 -------- d-----w C:\Program Files\AIM6
2007-04-04 19:00:22 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-03 22:14:35 -------- d-----w C:\Program Files\Share_Accelerator_MM
2007-04-02 05:27:39 93 ----a-w C:\WINDOWS\system32\uiqzmtaim.dll
2007-04-02 02:00:24 -------- d-----w C:\Program Files\America Online 8.0a
2007-04-02 01:42:14 -------- d-----w C:\Program Files\AOD
2007-03-17 00:00:52 27,177 ----a-w C:\WINDOWS\system32\ddaby.exe
2007-03-16 05:16:15 -------- d-----w C:\Program Files\Messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4596013b-6c31-408b-a266-deae5c086dc2}=C:\Program Files\Share_Accelerator_MM\tbShar.dll [2007-02-01 15:14]
{EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89}=C:\WINDOWS\system32\msnhlp32.dll []


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-03 02:19]
"nwiz"="nwiz.exe" [2003-05-03 02:19 C:\WINDOWS\system32\nwiz.exe]
"AlcxMonitor"="ALCXMNTR.EXE" []
"@"="" []
"RegistryMonitor"="C:\WINDOWS\1903cra.exe" []
"{ZN}"="C:\WINDOWS\system32\micro1\z6.exe" [2007-02-22 00:44]
"Svcs: Dnscache"="C:\DOCUME~1\John\LOCALS~1\Temp\22683\explorer.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-08 22:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"RecordNow!"="" []
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" []
"PlaxoUpdate"="C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe" [2006-04-12 12:40]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))



No infected Qoologic files found. Reg entries were fixed


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard131.dat
C:\WINDOWS\keyboard141.dat
C:\WINDOWS\keyboard151.dat
C:\WINDOWS\keyboard161.dat
C:\WINDOWS\keyboard171.dat
C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtsmt.dll
C:\WINDOWS\system32\pfxzmtsmtspm.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\system32\RunOnce3.tm_
C:\WINDOWS\system32\RunOnce3.t__
C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat
C:\DOCUME~1\NETWOR~1\APPLIC~1\Install.dat
C:\DOCUME~1\Owner\APPLIC~1\Dxcuknwrd.dll
C:\WINDOWS\703764609.exe
C:\WINDOWS\704966125.exe
C:\WINDOWS\706167031.exe
C:\WINDOWS\707367906.exe
C:\WINDOWS\708568765.exe
C:\WINDOWS\709769656.exe
C:\WINDOWS\710970750.exe
C:\WINDOWS\712171593.exe
C:\WINDOWS\713372578.exe
C:\WINDOWS\714573578.exe
C:\WINDOWS\715774484.exe
C:\WINDOWS\716975390.exe
C:\WINDOWS\718176203.exe
C:\WINDOWS\719377921.exe
C:\WINDOWS\720578828.exe
C:\WINDOWS\721779718.exe
C:\WINDOWS\725423000.exe
C:\WINDOWS\764.exe
C:\WINDOWS\system32\max1d164v.exe
C:\Program Files\Common Files\misc001\webhc1.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\Program Files\Common Files\{34EC3~1\Bar888.dll
C:\Program Files\Common Files\{34EC3~1\UnInstall.exe
C:\WINDOWS\system32\bk.exe
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\wapisvit.exe
C:\Documents and Settings\All Users\..\ie_updater.exe
C:\WINDOWS\system32\jsiuipc.dll
C:\Program Files\Common Files\misc001
C:\Program Files\ipwindows
C:\WINDOWS\system32\bund1
C:\Program Files\Common Files\{34EC3~1
C:\Program Files\Common Files\{74EC3~1
C:\WINDOWS\system32\a3dxx.dll
C:\cp1041.nls
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\ECURIT~1
C:\qoobox\purity\C\Program Files\Common Files\SCURIT~1
C:\qoobox\purity\C\WINDOWS\system32\PPPATC~1
C:\qoobox\purity\C\WINDOWS\system32\STEM~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\ECURIT~1
C:\qoobox\purity\C\Program Files\Common Files\SCURIT~1
C:\qoobox\purity\C\WINDOWS\system32\PPPATC~1
C:\qoobox\purity\C\WINDOWS\system32\STEM~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DRIVERPP
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NEW_DRV
-------\LEGACY_NTLDR.SYS
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Client IP-IPX
-------\driverpp
-------\ntldr.sys


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-18 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-18 22:45:24 -------- d-----w C:\Program Files\Plaxo
2007-05-11 21:17:10 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-10 00:52:45 -------- d-----w C:\Program Files\Symantec
2007-05-09 03:26:32 -------- d-----w C:\Program Files\QuickTime
2007-05-09 03:26:32 -------- d-----w C:\Program Files\Multimedia Card Reader
2007-05-09 03:26:32 -------- d-----w C:\Program Files\iTunes
2007-05-09 03:26:31 -------- d-----w C:\Program Files\SymNetDrv
2007-05-09 02:00:20 4 ----a-w C:\WINDOWS\system32\stfv.bin
2007-05-08 22:10:55 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-08 21:19:49 12 ----a-w C:\WINDOWS\system32\sl.bin
2007-04-29 03:56:51 -------- d-----w C:\Program Files\Norton AntiVirus
2007-04-29 03:34:16 -------- d-----w C:\Program Files\Viewpoint
2007-04-28 01:19:32 -------- d-----w C:\Program Files\Common Files\mmfo
2007-04-27 17:57:18 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-27 01:17:53 401 ----a-w C:\WINDOWS\cebue.dll
2007-04-24 01:55:43 281,348 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2007-04-23 00:28:51 106,496 ----a-w C:\WINDOWS\Sloopy7.exe
2007-04-23 00:28:28 932 ----a-w C:\WINDOWS\system32\winpfz32.sys
2007-04-17 22:11:22 -------- d-----w C:\Program Files\AIM
2007-04-17 00:10:08 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Aim
2007-04-14 21:33:32 18,432 ----a-w C:\WINDOWS\sysrlb32.exe
2007-04-14 21:21:49 -------- d-----w C:\Program Files\SpywareBlaster
2007-04-14 21:09:53 184,428 ----a-w C:\WINDOWS\system32\nwinrpdv.exe
2007-04-14 17:20:45 27,904 ----a-w C:\WINDOWS\vxddsk.exe
2007-04-14 17:20:44 29,952 ----a-w C:\WINDOWS\satmat.exe
2007-04-14 17:20:44 18,688 ----a-w C:\WINDOWS\system32\vxddsk.exe
2007-04-14 17:20:44 16,384 ----a-w C:\WINDOWS\wml.exe
2007-04-14 17:20:44 14,336 ----a-w C:\WINDOWS\system32\wml.exe
2007-04-14 17:20:43 29,696 ----a-w C:\WINDOWS\flt.dll
2007-04-14 17:20:43 11,008 ----a-w C:\WINDOWS\7search.dll
2007-04-14 17:20:42 29,184 ----a-w C:\WINDOWS\pbar.dll
2007-04-14 17:20:40 9,472 ----a-w C:\WINDOWS\stcloader.exe
2007-04-14 17:20:40 32,000 ----a-w C:\WINDOWS\voiceip.dll
2007-04-14 17:20:40 28,416 ----a-w C:\WINDOWS\cdsm32.dll
2007-04-14 17:20:40 17,408 ----a-w C:\WINDOWS\swin32.dll
2007-04-14 17:20:39 26,624 ----a-w C:\WINDOWS\bokja.exe
2007-04-14 17:20:38 17,920 ----a-w C:\WINDOWS\mspphe.dll
2007-04-14 17:20:38 12,288 ----a-w C:\WINDOWS\bjam.dll
2007-04-14 17:20:37 9,728 ----a-w C:\WINDOWS\salm.exe
2007-04-14 17:20:37 29,696 ----a-w C:\WINDOWS\system32\WER8274.DLL
2007-04-14 17:20:37 28,416 ----a-w C:\WINDOWS\updatetc.exe
2007-04-14 17:20:37 15,872 ----a-w C:\WINDOWS\system32\MSIXU.DLL
2007-04-14 17:20:37 13,056 ----a-w C:\WINDOWS\180ax.exe
2007-04-14 17:20:36 19,712 ----a-w C:\WINDOWS\saiemod.dll
2007-04-14 17:20:27 12 ----a-w C:\WINDOWS\system32\gtv_sd.bin
2007-04-04 21:01:06 106,539 ------w C:\WINDOWS\qommjj.dll
2007-04-04 19:01:05 -------- d-----w C:\Program Files\AIM6
2007-04-04 19:00:22 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-03 22:14:35 -------- d-----w C:\Program Files\Share_Accelerator_MM
2007-04-02 05:27:39 93 ----a-w C:\WINDOWS\system32\uiqzmtaim.dll
2007-04-02 02:00:24 -------- d-----w C:\Program Files\America Online 8.0a
2007-04-02 01:42:14 -------- d-----w C:\Program Files\AOD
2007-03-17 00:00:52 27,177 ----a-w C:\WINDOWS\system32\ddaby.exe
2007-03-16 05:16:15 -------- d-----w C:\Program Files\Messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4596013b-6c31-408b-a266-deae5c086dc2}=C:\Program Files\Share_Accelerator_MM\tbShar.dll [2007-02-01 15:14]
{EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89}=C:\WINDOWS\system32\msnhlp32.dll []


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-03 02:19]
"nwiz"="nwiz.exe" [2003-05-03 02:19 C:\WINDOWS\system32\nwiz.exe]
"AlcxMonitor"="ALCXMNTR.EXE" []
"@"="" []
"RegistryMonitor"="C:\WINDOWS\1903cra.exe" []
"{ZN}"="C:\WINDOWS\system32\micro1\z6.exe" [2007-02-22 00:44]
"Svcs: Dnscache"="C:\DOCUME~1\John\LOCALS~1\Temp\22683\explorer.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-08 22:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" []
"KernelFaultCheck"="%systemroot%\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"RecordNow!"="" []
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" []
"PlaxoUpdate"="C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe" [2006-04-12 12:40]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ywgho"="C:\\WINDOWS\\system32\\djuonx.exe reg_run"
"Notn"="\"C:\\PROGRA~1\\COMMON~1\\SCURIT~1\\chkntfs.exe\" -vt yazr"
"Xvzs"="C:\\Documents and Settings\\LocalService\\My Documents\\??pPatch\\n?tepad.exe"
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
HTTPFilter HTTPFilter
DcomLaunch DcomLaunch TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Info.exe folder.htt 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2edc66f4-fdd1-11db-aae1-00038a000015}]
Shell\AutoRun\command P:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{614c138e-36ad-11da-8e1e-806d6172696f}]
Shell\AutoRun\command D:\Info.exe folder.htt 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{65415af9-36ad-11da-bda3-806d6172696f}]
Shell\AutoRun\command F:\Info.exe folder.htt 480 480


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070509-210632-783
O4 - HKLM\..\Run: [w14dc158.dll] RUNDLL32.EXE w14dc158.dll,I2 000887dc014dc158
backup-20070509-210632-887
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\ddaywv.dll",realset
backup-20070429-194040-479
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
backup-20070429-194040-546
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
backup-20070429-194040-595
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
backup-20070429-194040-450
O21 - SSODL: OIwtDKxQ - {74EC3748-DE46-9DE2-AE63-E910840C1E76} - C:\WINDOWS\system32\evy.dll (file missing)
backup-20070429-194040-998
O21 - SSODL: System - {A55B5791-CC5C-43AB-A8AD-BCDDC099CCE5} - dgflib.dll (file missing)
backup-20070429-194040-862
O21 - SSODL: prxsvc - {08171A17-C8B2-4D02-B72D-9B6AA7E3FD01} - prxsvc.dll (file missing)
backup-20070429-194025-876
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\k8080idue8080.dll (file missing)
backup-20070429-194025-957
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\micro1\b9.exe
backup-20070429-194025-762
O4 - HKLM\..\Run: [wf00993c.dll] RUNDLL32.EXE wf00993c.dll,I2 000887dc0f00993c
backup-20070429-194025-716
O4 - HKLM\..\Run: [ms067703196163] C:\WINDOWS\ms067703196163.exe
backup-20070429-194025-642
O2 - BHO: (no name) - {a5b224a7-07c8-4c37-b6a7-2a5bc148708a} - C:\WINDOWS\system32\kbddsp.dll (file missing)
backup-20070429-194025-609
O4 - HKLM\..\Run: [w0a6e46d.dll] RUNDLL32.EXE w0a6e46d.dll,I2 000887dc00a6e46d
backup-20070429-194025-506
O2 - BHO: (no name) - {B67A176A-9785-4545-8206-4CC273A75B15} - C:\WINDOWS\system32\awtqp.dll (file missing)
backup-20070429-194025-143
O4 - HKLM\..\Run: [w091d6d6.dll] RUNDLL32.EXE w091d6d6.dll,I2 000887dc0091d6d6
backup-20070429-194025-410
O4 - HKLM\..\Run: [wa2052c4.dll] RUNDLL32.EXE wa2052c4.dll,I2 000887dc0a2052c4
backup-20070429-194025-232
O18 - Filter: text/html - (no CLSID) - (no file)
backup-20070429-194025-271
O4 - HKLM\..\Run: [w001a5ef.dll] RUNDLL32.EXE w001a5ef.dll,I2 000887dc0001a5ef
backup-20070429-194025-278
O4 - HKLM\..\Run: [wa140588.dll] RUNDLL32.EXE wa140588.dll,I2 000887dc0a140588
backup-20070429-194025-286
O4 - HKLM\..\Run: [w11caa83.dll] RUNDLL32.EXE w11caa83.dll,I2 000887dc011caa83
backup-20070429-194025-320
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20070429-194025-488
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp9.tmp.dll
backup-20070429-194025-165
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20070427-152511-419
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
backup-20070427-152511-549
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
backup-20070427-152511-824
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20070427-152511-877
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
backup-20070427-152511-307
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
backup-20070427-152511-682
O2 - BHO: (no name) - {8CA76EAB-723E-4BDF-B53B-B8A3AD695725} - \
backup-20070427-152511-928
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20070427-152511-935
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
backup-20070427-152511-800
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20070427-152511-266
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20070427-152511-102
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20070427-152511-195
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20070427-152511-113
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20070427-152511-892
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
backup-20070427-152511-288
O2 - BHO: (no name) - {34FA57B5-3269-4F45-B236-553868BC6B60} - \

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-18 18:50:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-18 18:52:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-18 18:52


--- E O F ---


Current HJT.txt file

Logfile of HijackThis v1.99.1
Scan saved at 7:00:13 PM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Hijack\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cra.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\micro1\z6.exe SKY003
O4 - HKLM\..\Run: [Svcs: Dnscache] C:\DOCUME~1\John\LOCALS~1\Temp\22683\explorer.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\micro1\z6.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C17E994-D3FD-43AF-A3E8-BE5657E73095}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\ie_updater.exe (file missing)
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

#10 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:49 PM

Posted 18 May 2007 - 06:41 PM

* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste next part:

C:\WINDOWS\system32\stfv.bin
C:\Program Files\Common Files\mmfo
C:\WINDOWS\cebue.dll
C:\WINDOWS\Sloopy7.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\sysrlb32.exe
C:\WINDOWS\system32\nwinrpdv.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\7search.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\updatetc.exe
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\180ax.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\qommjj.dll
C:\WINDOWS\system32\uiqzmtaim.dll
C:\WINDOWS\system32\ddaby.exe
C:\WINDOWS\1903cra.exe
C:\WINDOWS\system32\micro1\z6.exe


Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply with a new hijackthis log.

Edited by jurgenv, 18 May 2007 - 06:42 PM.

Greets Jürgenv

Donation: Click me.

#11 Bamad

Bamad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 18 May 2007 - 07:22 PM

Hi jurgenv,

Ran OTMove and pasted the files as requested. One thing, it's asking me to reboot to finish moving the files. Should I? The logs follow

C:\WINDOWS\system32\stfv.bin moved successfully.
Folder move failed. C:\Program Files\Common Files\mmfo\mmfoh scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Common Files\mmfo\mmfod\vocabulary scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Common Files\mmfo\mmfod\class-barrel scheduled to be moved on reboot.
C:\Program Files\Common Files\mmfo\mmfod moved successfully.
C:\Program Files\Common Files\mmfo moved successfully.
LoadLibrary failed for C:\WINDOWS\cebue.dll
C:\WINDOWS\cebue.dll NOT unregistered.
C:\WINDOWS\cebue.dll moved successfully.
C:\WINDOWS\Sloopy7.exe moved successfully.
C:\WINDOWS\system32\winpfz32.sys moved successfully.
C:\WINDOWS\sysrlb32.exe moved successfully.
C:\WINDOWS\system32\nwinrpdv.exe moved successfully.
C:\WINDOWS\vxddsk.exe moved successfully.
C:\WINDOWS\satmat.exe moved successfully.
C:\WINDOWS\system32\vxddsk.exe moved successfully.
C:\WINDOWS\wml.exe moved successfully.
C:\WINDOWS\system32\wml.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\flt.dll
C:\WINDOWS\flt.dll NOT unregistered.
C:\WINDOWS\flt.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\7search.dll
C:\WINDOWS\7search.dll NOT unregistered.
C:\WINDOWS\7search.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\pbar.dll
C:\WINDOWS\pbar.dll NOT unregistered.
C:\WINDOWS\pbar.dll moved successfully.
C:\WINDOWS\stcloader.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\voiceip.dll
C:\WINDOWS\voiceip.dll NOT unregistered.
C:\WINDOWS\voiceip.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cdsm32.dll NOT unregistered.
C:\WINDOWS\cdsm32.dll moved successfully.
C:\WINDOWS\bokja.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\swin32.dll
C:\WINDOWS\swin32.dll NOT unregistered.
C:\WINDOWS\swin32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\mspphe.dll
C:\WINDOWS\mspphe.dll NOT unregistered.
C:\WINDOWS\mspphe.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\bjam.dll
C:\WINDOWS\bjam.dll NOT unregistered.
C:\WINDOWS\bjam.dll moved successfully.
C:\WINDOWS\salm.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\system32\WER8274.DLL NOT unregistered.
C:\WINDOWS\system32\WER8274.DLL moved successfully.
C:\WINDOWS\updatetc.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\system32\MSIXU.DLL NOT unregistered.
C:\WINDOWS\system32\MSIXU.DLL moved successfully.
C:\WINDOWS\180ax.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\saiemod.dll
C:\WINDOWS\saiemod.dll NOT unregistered.
C:\WINDOWS\saiemod.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\qommjj.dll
C:\WINDOWS\qommjj.dll NOT unregistered.
C:\WINDOWS\qommjj.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\uiqzmtaim.dll
C:\WINDOWS\system32\uiqzmtaim.dll NOT unregistered.
C:\WINDOWS\system32\uiqzmtaim.dll moved successfully.
C:\WINDOWS\system32\ddaby.exe moved successfully.
File/Folder C:\WINDOWS\1903cra.exe not found.
C:\WINDOWS\system32\micro1\z6.exe moved successfully.

Created on 05/18/2007 20:11:59

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:16:14 PM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Owner\Desktop\OTMoveIt.exe
C:\Hijack\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cra.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\micro1\z6.exe SKY003
O4 - HKLM\..\Run: [Svcs: Dnscache] C:\DOCUME~1\John\LOCALS~1\Temp\22683\explorer.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\micro1\z6.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C17E994-D3FD-43AF-A3E8-BE5657E73095}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\ie_updater.exe (file missing)
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

#12 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:49 PM

Posted 19 May 2007 - 06:38 AM

Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Enviroinment (JRE) 6u1, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop (13.16 MB).
  • Close any programs you may have running - especially any web browsers.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
* Please open hijackthis and put a check next to the following:

O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll (file missing)
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\micro1\z6.exe SKY003
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\micro1\z6.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\ie_updater.exe (file missing)
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Greets Jürgenv

Donation: Click me.

#13 Bamad

Bamad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 19 May 2007 - 06:45 AM

Thanks jurgenv,

I'll get back to this later today. Work on a Saturday.Sheesh!!! :thumbsup:

#14 Bamad

Bamad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 19 May 2007 - 08:58 PM

Hi jurgenv,

I updated Java, deleted the entries with HiJackThis, and ran SDFix The logs follow. The computer seems to run much better.




SDFix: Version 1.84

Run by Owner - Sat 05/19/2007 - 21:41:50.68

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Microsoft IEUpdater22
msgegh
NetDDEdsma

ImagePath:
C:\Documents and Settings\ie_updater.exe /start
\??\C:\WINDOWS\system32\drivers\msgegh.sys
"C:\WINDOWS\svchost.exe"

Microsoft IEUpdater22 - Deleted
msgegh - Deleted
NetDDEdsma - Deleted


ndis.sys Infected!

Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version...

Original ndis.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\CP1041.NLS - Deleted
C:\CP1467.NLS - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"="C:\\Program Files\\support.com\\bin\\tgcmd.exe:*:Enabled:Support.com Scheduler and Command Dispatcher"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1141498013\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1141498013\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1141498013\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1141498013\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\1141603900\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1141603900\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1141603900\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1141603900\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"šå"="šå:*:Enabled:Windows Update"
"C:\\WINDOWS\\system32\\vexga3me2.exe"="C:\\WINDOWS\\system32\\vexga3me2.exe:*:Enabled:taskmgr32"
"C:\\DOCUME~1\\John\\LOCALS~1\\Temp\\133.tmp.exe"="C:\\DOCUME~1\\John\\LOCALS~1\\Temp\\133.tmp.exe:*:Enabled:qwertybot"
"C:\\DOCUME~1\\John\\LOCALS~1\\Temp\\131.tmp.exe"="C:\\DOCUME~1\\John\\LOCALS~1\\Temp\\131.tmp.exe:*:Enabled:qwertybot"
"C:\\WINDOWS\\system32\\qwertybot.exe"="C:\\WINDOWS\\system32\\qwertybot.exe:*:Enabled:qwertybot"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\Common Files\aolshare\shell\shellext_AOLBROADBAND.dll
C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Program Files\America Online 8.0a\aolphx.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\America Online 8.0a\RBM.exe
C:\Program Files\America Online 8.0a\waol.exe
C:\Program Files\America Online 8.0a\COMIT\cswitch.exe
C:\Documents and Settings\Owner\My Documents\MACD\MACD\04 Conf\4.30.04.eval\~WRL0077.tmp
C:\Documents and Settings\Owner\My Documents\MACD\MACD\bm agendas\~WRL0005.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\4dcc6651b343a420041d7f8486c9f48e\BIT3.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished


Logfile of HijackThis v1.99.1
Scan saved at 9:50:31 PM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Hijack\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cra.exe
O4 - HKLM\..\Run: [Svcs: Dnscache] C:\DOCUME~1\John\LOCALS~1\Temp\22683\explorer.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.10\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C17E994-D3FD-43AF-A3E8-BE5657E73095}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

#15 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:49 PM

Posted 20 May 2007 - 06:41 AM

* Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

* After that, tell me how everything is working.
Greets Jürgenv

Donation: Click me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users