Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups


  • Please log in to reply
9 replies to this topic

#1 Zanadoo

Zanadoo

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 30 May 2007 - 06:17 PM

Whenever I open up Internet Explorer a few popups show up, I've tried several things to get rid of them so now I consent to getting help from others. Here is my HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:10:21 PM, on 5/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\System32\WCEFLMS.exe
C:\WINDOWS\retadpu1000106.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\prefs.js)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8 - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296D - (no file)
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4 - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BC4FE1B-34A6-3429-F04E-19E34CE1FD9A} - C:\WINDOWS\System32\iuybza.dll (file missing)
O2 - BHO: (no name) - {1F760513-E0BF-4A86-91DA-B3C4A6F78809} - C:\WINDOWS\System32\rhcuocdh.dll (file missing)
O2 - BHO: (no name) - {3539ce6d-3917-4273-858b-540c1ce72a70} - C:\WINDOWS\system32\dsppcn.dll
O2 - BHO: (no name) - {38193F28-7F00-4D69-B160-F51178181044} - C:\WINDOWS\System32\awvvv.dll (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O2 - BHO: (no name) - {B0C75CF9-6AE8-44A8-AC30-F899C09E1076} - C:\WINDOWS\System32\rhcuocdh.dll (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0848 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08487 - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [WCEFLMS] WCEFLMS.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [7e946963dc2e] C:\WINDOWS\System32\aaaamon6.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe
O4 - HKLM\..\Run: [ixfyhjne] C:\WINDOWS\System32\mtlxknzq.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E70CE7C0726B954E2C2832213329D26033AAC
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [RegPowerClean] "C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Ltho] "C:\WINDOWS\System32\FNTS~1\winspool.exe" -vt yazb
O4 - HKCU\..\Run: [Pukhs] C:\WINDOWS\?ystem\t?skmgr.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/pre.chm::/xpreload.cab
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...easeInstall.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/ins...ckerutility.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playgames.comcast.net/online2/chuzz...aploader_v6.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: dsppcn - C:\WINDOWS\SYSTEM32\dsppcn.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R2F0ZXdheV9Vc2Vy\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 31 May 2007 - 08:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Zanadoo :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

***************************

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste the following commands pressing Enter after each one.

SC STOP cmdService

SC DELETE cmdService


Then type EXIT then press Enter.

Restart your pc.

***************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

***************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Zanadoo

Zanadoo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 31 May 2007 - 01:57 PM

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 4:38:22 PM 5/31/2007

Listing files found while scanning....

C:\WINDOWS\effiii.ini
C:\WINDOWS\iiiffe.dll
C:\WINDOWS\System32\awvvv.dll
C:\WINDOWS\System32\lhfprhvn.dll
C:\WINDOWS\System32\tmpBE.tmp.dll
C:\WINDOWS\system32\urqnmli.dll
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\effiii.ini
C:\WINDOWS\effiii.ini Has been deleted!

Attempting to delete C:\WINDOWS\iiiffe.dll
C:\WINDOWS\iiiffe.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\awvvv.dll
C:\WINDOWS\System32\awvvv.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\lhfprhvn.dll
C:\WINDOWS\System32\lhfprhvn.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\tmpBE.tmp.dll
C:\WINDOWS\System32\tmpBE.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqnmli.dll
C:\WINDOWS\system32\urqnmli.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vvvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\vvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 2:37:24 PM 6/1/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...






"Owner" - 2007-06-01 14:43:49 Service Pack 1
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Owner\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dsppcn.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe"
"C:\WINDOWS\uninstall_nmon.vbs"
"C:\WINDOWS\system32\tmp1.tmp.dll"
"C:\WINDOWS\system32\tmp1D.tmp.dll"
"C:\WINDOWS\system32\tmpC.tmp.dll"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\WINDOWS\system32\smpi1\lib06.exe"
"C:\Temp\17O7\tmpTF.log"
"C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt"
"C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt"
"C:\Program Files\install.log"
"C:\Program Files\outerinfo"
"C:\WINDOWS\system32\smpi1"
"C:\Temp\17O7"
"C:\Temp\tn3"
"C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon"
"C:\WINDOWS\system32\drivers\core.sys"

-- Purity Folders:

C:\WINDOWS\system32\FNTS~1
C:\WINDOWS\YSTEM~1



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core


((((((((((((((((((((((((((((((( Files Created from 2007-05-01 to 2007-06-01 ))))))))))))))))))))))))))))))))))


2007-06-01 14:45 <DIR> d-------- C:\Temp\tn3
2007-06-01 03:12 <DIR> d-------- C:\WINDOWS\pss
2007-05-31 19:07 <DIR> d-------- C:\hijackthis
2007-05-31 16:38 <DIR> d-------- C:\VundoFix Backups
2007-05-31 15:48 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-31 15:48 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-31 15:48 3,882 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-31 15:48 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-31 14:58 <DIR> d-------- C:\Program Files\Alwil Software
2007-05-31 14:45 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-31 14:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-31 14:10 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-31 14:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-20 16:54 <DIR> d--hs---- C:\WINDOWS\R2F0ZXdheV9Vc2Vy
2007-05-20 16:45 106,540 --a------ C:\WINDOWS\opqopo.dll
2007-05-15 21:42 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SystemDoctor Free
2007-05-15 21:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SystemDoctor Free
2007-05-14 21:15 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\DriveCleaner Free
2007-05-14 21:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-05-14 21:05 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-05-14 21:02 2 --a------ C:\WINDOWS\system32\wtsisvsu.exe
2007-05-14 20:58 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-14 20:58 <DIR> d-------- C:\Temp
2007-05-13 20:20 <DIR> d-------- C:\Program Files\MySpace
2007-05-13 20:20 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MySpace
2007-05-12 20:40 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\YourScreen
2007-05-12 20:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\SpamBlockerUtility_Icons
2007-05-12 20:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\SpamBlockerUtility
2007-05-12 20:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\COMCASTTOOLBAR
2007-05-12 19:46 <DIR> d-------- C:\WINDOWS\system32\bak
2007-05-12 19:46 <DIR> d-------- C:\WINDOWS\bak
2007-05-12 10:24 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-12 10:22 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-05-12 10:22 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-05-12 10:22 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-05-12 10:22 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2007-05-12 10:22 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-05-12 10:22 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-05-12 10:22 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-05-12 10:19 69,632 --a------ C:\WINDOWS\system32\camocx71.exe
2007-05-12 10:19 24,576 --a------ C:\WINDOWS\system32\comaddin.exe
2007-05-12 10:19 148,659 -r------- C:\Program Files\Common Files\alrsvc49.exe
2007-05-12 10:17 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-05-12 10:17 <DIR> d-------- C:\Program Files\ComcastToolbar
2007-05-12 10:16 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ComcastToolbar
2007-05-12 10:12 <DIR> d-------- C:\Program Files\support.com
2007-05-12 10:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Support.com
2007-05-11 22:12 <DIR> d-------- C:\Program Files\Freeze.com
2007-05-11 22:06 495,616 --a------ C:\WINDOWS\system32\WINUTIL5.DLL
2007-05-11 22:06 393,216 --a------ C:\WINDOWS\system32\WINLCTL5.DLL
2007-05-11 22:05 <DIR> d-------- C:\Program Files\YourScreen
2007-05-11 22:05 <DIR> d-------- C:\Program Files\Yahoo!
2007-05-10 04:27 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2007-05-07 21:26 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-05-07 04:18 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-05-07 04:18 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SpamBlockerUtility_Icons
2007-05-07 04:17 <DIR> d-------- C:\Program Files\SpamBlockerUtility
2007-05-07 04:17 <DIR> d-------- C:\Program Files\Hotbar
2007-05-07 04:17 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SpamBlockerUtility
2007-05-07 04:17 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SpamBlocker


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-31 21:06:33 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 19:22:48 -------- d-----w C:\Program Files\Winamp3
2007-05-31 19:22:00 -------- d-----w C:\Program Files\QuickTime
2007-05-31 19:21:26 -------- d-----w C:\Program Files\PhoneTools
2007-05-31 19:15:29 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-12 23:46:13 -------- d-----w C:\Program Files\Messenger
2007-05-12 14:22:33 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-08 00:40:45 -------- d-----w C:\Program Files\Grokster
2007-04-28 02:14:15 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-28 01:55:22 -------- d-----w C:\Program Files\Common Files\ArcSoft
2007-04-28 01:54:51 -------- d-----w C:\Program Files\SanDisk
2007-03-16 11:51:28 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-03-16 11:51:28 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\R2F0ZXdheV9Vc2Vy\lZIXtrx1yp6pwZpV.vbs


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0494D0D1-F8E0-41ad-92A3-14154ECE70AC}=C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL []
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]
{1BC4FE1B-34A6-3429-F04E-19E34CE1FD9A}=C:\WINDOWS\System32\iuybza.dll []
{1F760513-E0BF-4A86-91DA-B3C4A6F78809}=C:\WINDOWS\System32\rhcuocdh.dll []
{38193F28-7F00-4D69-B160-F51178181044}=C:\WINDOWS\System32\awvvv.dll []
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}=C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL [2006-11-07 15:21]
{74CC49F7-EB32-4A08-B204-948962A6E3DB}=C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll [2006-11-09 10:07]
{B0C75CF9-6AE8-44A8-AC30-F899C09E1076}=C:\WINDOWS\System32\rhcuocdh.dll []
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2002-08-26 23:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" []
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" []
"WinampAgent"="C:\Program Files\Winamp3\winampa.exe" []
"WCEFLMS"="WCEFLMS.exe" [2001-09-27 14:45 C:\WINDOWS\system32\WCEFLMS.EXE]
"ToPicks Starter"="C:\Program Files\ToPicks\Bin\Idhost.exe" []
"RVP"="C:\Program Files\RVP\bpc.exe" []
"CapFax"="C:\Program Files\PhoneTools\CapFax.EXE" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"SpamBlocker"="C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe" []
"Spam Blocker for Outlook Express"="C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 16:08]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" []
"Mozilla Quick Launch"="C:\Program Files\Netscape\Netscape\Netscp.exe" []
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" []
"AROReminder"="" []
"RegPowerClean"="C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe" []
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 01:06]
"Ltho"="C:\WINDOWS\System32\FNTS~1\winspool.exe" []
"Pukhs"="C:\WINDOWS\?ystem\t?skmgr.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-19 00:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-05-12 02:07:21 C:\WINDOWS\tasks\rpc.job
2007-04-15 13:08:59 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-01 14:47:40
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-01 14:48:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-01 14:48

--- E O F ---







Logfile of HijackThis v1.99.1
Scan saved at 2:49:55 PM, on 6/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\System32\WCEFLMS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\prefs.js)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8 - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296D - (no file)
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4 - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BC4FE1B-34A6-3429-F04E-19E34CE1FD9A} - C:\WINDOWS\System32\iuybza.dll (file missing)
O2 - BHO: (no name) - {1F760513-E0BF-4A86-91DA-B3C4A6F78809} - C:\WINDOWS\System32\rhcuocdh.dll (file missing)
O2 - BHO: (no name) - {38193F28-7F00-4D69-B160-F51178181044} - C:\WINDOWS\System32\awvvv.dll (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O2 - BHO: (no name) - {B0C75CF9-6AE8-44A8-AC30-F899C09E1076} - C:\WINDOWS\System32\rhcuocdh.dll (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0848 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08487 - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [WCEFLMS] WCEFLMS.exe
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [RegPowerClean] "C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Ltho] "C:\WINDOWS\System32\FNTS~1\winspool.exe" -vt yazb
O4 - HKCU\..\Run: [Pukhs] C:\WINDOWS\?ystem\t?skmgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/pre.chm::/xpreload.cab
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...easeInstall.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/ins...ckerutility.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playgames.comcast.net/online2/chuzz...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 31 May 2007 - 02:53 PM

Click on Start/Control Panel/Add or Remove Programs and remove/uninstall all/any of the following if present,then restart your pc:
Winferno
SpamBlockerUtility
RVP
Hotbar
ToPicks


***********************

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\opqopo.dll
C:\WINDOWS\system32\wtsisvsu.exe
C:\WINDOWS\system32\camocx71.exe
C:\WINDOWS\system32\comaddin.exe
C:\Program Files\Common Files\alrsvc49.exe
C:\WINDOWS\system32\WINUTIL5.DLL
C:\WINDOWS\system32\WINLCTL5.DLL
C:\WINDOWS\System32\WCEFLMS.exe

Folders to delete:
C:\WINDOWS\R2F0ZXdheV9Vc2Vy
C:\Program Files\Hotbar
C:\Program Files\ToPicks
C:\Program Files\SpamBlockerUtility
C:\Program Files\RVP
C:\DOCUME~1\Owner\APPLIC~1\SystemDoctor Free
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SystemDoctor Free
C:\DOCUME~1\Owner\APPLIC~1\DriveCleaner Free

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

***********************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8 - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296D - (no file)
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4 - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
O2 - BHO: (no name) - {1BC4FE1B-34A6-3429-F04E-19E34CE1FD9A} - C:\WINDOWS\System32\iuybza.dll (file missing)
O2 - BHO: (no name) - {1F760513-E0BF-4A86-91DA-B3C4A6F78809} - C:\WINDOWS\System32\rhcuocdh.dll (file missing)
O2 - BHO: (no name) - {38193F28-7F00-4D69-B160-F51178181044} - C:\WINDOWS\System32\awvvv.dll (file missing)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O2 - BHO: (no name) - {B0C75CF9-6AE8-44A8-AC30-F899C09E1076} - C:\WINDOWS\System32\rhcuocdh.dll (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0848 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08487 - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe
O4 - HKCU\..\Run: [RegPowerClean] "C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe"
O4 - HKCU\..\Run: [Ltho] "C:\WINDOWS\System32\FNTS~1\winspool.exe" -vt yazb
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\nores.mht!http://adxtend.net/code/chm/pre.chm::/xpreload .cab
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...easeInstall.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/ins...ckerutility.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB


Exit Hijackthis.

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Edited by RichieUK, 31 May 2007 - 02:57 PM.

Posted Image
Posted Image

#5 Zanadoo

Zanadoo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 31 May 2007 - 04:41 PM

Everything seems to be running a whole lot smoother now, the only real issue I'm seeing now is the internet isn't working. Its says the cord is plugged in and everything is connected but nothing is showing up on either IE or Mozilla, this may be another issue not related to the spyware and/or malware on the PC. Thanks for all you've done thus far for the help.


Avenger Log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\itmwlynh

*******************

Script file located at: \??\C:\Program Files\exsnkyig.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\opqopo.dll deleted successfully.
File C:\WINDOWS\system32\wtsisvsu.exe deleted successfully.
File C:\WINDOWS\system32\camocx71.exe deleted successfully.
File C:\WINDOWS\system32\comaddin.exe deleted successfully.
File C:\Program Files\Common Files\alrsvc49.exe deleted successfully.
File C:\WINDOWS\system32\WINUTIL5.DLL deleted successfully.
File C:\WINDOWS\system32\WINLCTL5.DLL deleted successfully.
File C:\WINDOWS\System32\WCEFLMS.exe deleted successfully.
Folder C:\WINDOWS\R2F0ZXdheV9Vc2Vy deleted successfully.
Folder C:\Program Files\Hotbar deleted successfully.


Folder C:\Program Files\ToPicks not found!
Deletion of folder C:\Program Files\ToPicks failed!

Could not process line:
C:\Program Files\ToPicks
Status: 0xc0000034

Folder C:\Program Files\SpamBlockerUtility deleted successfully.


Folder C:\Program Files\RVP not found!
Deletion of folder C:\Program Files\RVP failed!

Could not process line:
C:\Program Files\RVP
Status: 0xc0000034

Folder C:\DOCUME~1\Owner\APPLIC~1\SystemDoctor Free deleted successfully.
Folder C:\DOCUME~1\ALLUSE~1\APPLIC~1\SystemDoctor Free deleted successfully.
Folder C:\DOCUME~1\Owner\APPLIC~1\DriveCleaner Free deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




AVG Anti Spyware report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:30:59 PM 6/1/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072022.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072183.dll/bi.dll -> Adware.BiSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072183.dll/biprep.exe -> Adware.BiSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP706\A0066341.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP707\A0066373.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP707\A0066390.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP707\A0066429.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP707\A0066464.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP712\A0066729.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP716\A0066770.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP716\A0066789.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP716\A0066904.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP717\A0066999.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP718\A0067062.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP719\A0067274.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP721\A0067550.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP722\A0067697.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP723\A0067817.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072023.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072032.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-2052111302-630328440-725345543-1003\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-2052111302-630328440-725345543-1003\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072120.dll -> Adware.ErrorSafe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072036.exe -> Adware.Fakealert : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP716\A0066879.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP716\A0066880.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP716\A0066884.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP716\A0066885.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072179.exe -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072880.dll -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072881.exe -> Adware.Hotbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072882.dll -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072884.exe -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072885.dll -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072886.dll -> Adware.Hotbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072887.exe -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072889.exe -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072904.dll -> Adware.HotBar : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\HbInstIE.dll -> Adware.HotBar : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/SpamBlockerUtility/bin/4.8.4.0/SbHostIE.dll -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2052111302-630328440-725345543-1003\Software\Hotbar -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2052111302-630328440-725345543-1003\Software\Hotbar\Hotbar -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2052111302-630328440-725345543-1003\Software\Hotbar\Hotbar\SF -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072108.exe -> Adware.IEDriver : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\Install\MiniBug.exe -> Adware.Minibug : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072186.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072199.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072043.exe -> Adware.SystemDoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072062.lnk -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072064.lnk -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072195.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072195.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072195.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072899.exe -> Adware.UrlSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072900.exe -> Adware.UrlSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bak\aaaamon6.exe -> Adware.UrlSpy : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/camocx71.exe -> Adware.UrlSpy : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/comaddin.exe -> Adware.UrlSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072275.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\urqnmli.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072102.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072105.inf -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072196.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072182.dll -> Backdoor.Adbreak.d : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\tmp8.tmp.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\smpi1\lib06.exe.vir -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072720.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072788.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\dsppcn.dll.vir -> Downloader.ConHook.bf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072794.dll -> Downloader.ConHook.bf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072181.exe -> Downloader.PurityScan.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072174.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072177.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072178.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072184.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072185.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072188.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072189.EXE -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072191.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_9999_N18M1603NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072026.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072792.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
:mozilla.258:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.265:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.277:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.289:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.292:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.293:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.294:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.314:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.326:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.327:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.328:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.335:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.382:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.383:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.384:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.423:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.424:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.425:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.441:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.442:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.443:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.444:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.445:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.446:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.479:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.480:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.481:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.642:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@dssatlascreditgroup.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@fungamescentral.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@getmusicfree.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@grouplotto.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@paidmarketingpanel.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@pan.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@prizeamerica.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.124:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
:mozilla.200:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.207:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.11:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.506:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.635:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@ads.cnn[1].txt -> TrackingCookie.Cnn : Cleaned.
:mozilla.437:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.438:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.439:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.440:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.426:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.615:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.616:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.494:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.587:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.588:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.589:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.590:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.591:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.592:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.593:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.594:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.595:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.596:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.597:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.598:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.599:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.600:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.601:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.602:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.340:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Hypertracker : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned.
:mozilla.541:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.547:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.548:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.549:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.550:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.645:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.646:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.647:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.364:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.365:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.366:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@ie.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.632:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.633:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.634:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.508:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6eh7xl7i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Guest\Local Settings\Temp\tmp9.tmp.exe -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\tmp7.tmp.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\tmp7.tmp.exe -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp1.tmp.dll.vir -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072274.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072785.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\VundoFix Backups\tmpBE.tmp.dll.bad -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072784.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072903.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C03E2ED1-F775-4962-8615-1F6A8F91A740}\RP728\A0072908.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/R2F0ZXdheV9Vc2Vy/lZIXtrx1yp6pwZpV.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end





HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 5:35:07 PM, on 6/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\j7gpyd8f.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [WCEFLMS] WCEFLMS.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Pukhs] C:\WINDOWS\?ystem\t?skmgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playgames.comcast.net/online2/chuzz...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 31 May 2007 - 05:05 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [WCEFLMS] WCEFLMS.exe
O4 - HKCU\..\Run: [Pukhs] C:\WINDOWS\?ystem\t?skmgr.exe


*****************************************

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste the following bold text below,then press Enter:
NETSH WINSOCK RESET
Then type EXIT press Enter again,then restart your pc.

Let me know whats happening now.
Posted Image
Posted Image

#7 Zanadoo

Zanadoo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 31 May 2007 - 06:42 PM

Nothing changed with the internet problem, when I type NETSH WINSOCK RESET in the command prompt it says this - "The following command was not found: WINSOCK RESET."

Edited by Zanadoo, 31 May 2007 - 07:42 PM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 31 May 2007 - 08:25 PM

If you have the MS Windows XP install disk.
Click Start>Run,type sfc /scannow then press Ok.
Leave a space in between sfc and /scannow
Reboot when you've done.

If still no joy try a Repair Install.
Configure your computer to start from the CD-ROM drive.
[Boot into the Bios and set your CD-Rom drive as first boot device].
For more information about how to do this,refer to your computer's documentation or contact your computer manufacturer.
Then insert your Microsoft Windows XP Setup CD,and restart your computer.
When the 'Press any key to boot from CD' message is displayed on screen, press a key.
Press ENTER when you see the message to setup Windows XP now, and then press ENTER displayed on the 'Welcome to Setup' screen.
Do not choose the option to press R to use the Recovery Console.
In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.
Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.
Follow the instructions on the screen to complete Setup.

Let me know how you get on.
Posted Image
Posted Image

#9 Zanadoo

Zanadoo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 31 May 2007 - 09:42 PM

Everything appears to be working perfectly now, thanks a bunch!

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 01 June 2007 - 02:57 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
fix.reg
VundoFix.exe
Combofix
Avenger

C:\VundoFix Backups
C:\Avenger
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

*********************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

*********************

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users