Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware,spyware,missing Files


  • Please log in to reply
16 replies to this topic

#1 akmarksman

akmarksman

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 11 June 2007 - 04:39 AM

I built a different computer and I can't install SP2..so I'm going to have to buy WXP with SP2 in the near future,however until then I'm NOT going to use Internet Explorer..
At first I only had the SMITFRAUD-C infection..I think I might have cleared that up,and I thought I might have the blaster.32 worm so I went to symantecs site and downloaded fixblast and it checked my system,no sign of the blaster.32 worm.
When I first start my computer up,it takes a long time to load..I thought it was pest patrol bogging things down..so I uninstalled that.It seems to startup a little quicker,and I'm going to download autoruns from bleepingcomputer,I have spybot S&D with the most current definitions,and I think I'm going to install ad-aware SE professional.
I disabled my system restore completely.After I get my computer clean I'll enable it.
I use a wireless PCI card and a linksys router.I have Windows Firewall enabled.
I would like to save the iwon.com toolbar in IE because iwon.com hasn't yet made a version to use with mozilla/firefox. (firefox is my default browser)
Something changed my settings in IE so that activex could run without prompting me..and proceeded to load a couple of websites for "free" spyware and blah blah blah..I know it's not "real" spyware removal..it's just crap..
I had to change out motherboards and some other stuff at the computer store,and the tech couldn't install SP2..he downloaded the offline network install..I've tried running it a couple of times,and to no avail..
So in a couple of months,I'm going to buy Windows XP Professional with SP2 or Windows XP Home Edition with SP2. I'm getting a SATA hard drive in the mail and I'm going to do a clean install of windows on that hard drive.Anyways enough of my drama,here's the HJT log

oh,and thanks very much in advance. :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 1:22:20 AM, on 6/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINPRO\System32\smss.exe
C:\WINPRO\system32\winlogon.exe
C:\WINPRO\system32\services.exe
C:\WINPRO\system32\lsass.exe
C:\WINPRO\System32\svchost.exe
C:\WINPRO\system32\spoolsv.exe
C:\WINPRO\System32\svchost.exe
C:\WINPRO\System32\nvsvc32.exe
C:\WINPRO\System32\svchdd.exe
C:\WINPRO\system32\svchost.exe
C:\WINPRO\Explorer.exe
C:\WINDOWS\system32\drivers\ntndis.exe
C:\WINPRO\System32\RunDLL32.exe
C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe
O2 - BHO: H - {040FA520-78C6-41ce-81D0-9E733ABC1A29} - C:\WINPRO\System32\comi.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iWon Co-Pilot BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINPRO\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINPRO\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKLM\..\Run: [avp] C:\WINPRO\TEMP\17.tmp
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iut75] c:\winpro\system32\drivers\uzcx.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINPRO\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINPRO\System32\msjava.dll
O15 - Trusted Zone: http://prizemachine.games.iwon.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178581508132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181547529484
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B36F80BE-FEB6-4E50-A02B-F24603A21725}: NameServer = 85.255.116.43,85.255.112.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB3FE937-26B8-4195-A1CC-7CE071D9B56F}: NameServer = 85.255.116.43,85.255.112.145
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.145
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.145
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.145
O20 - AppInit_DLLs: C:\WINPRO\System32\syst886.dll
O23 - Service: Application Layer Gateway Service ALGMessenger (ALGMessenger) - Unknown owner - C:\WINPRO\System32\ActiveScanb.exe
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINPRO\System32\aspimgr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINPRO\System32\nvsvc32.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccessEventlog (SharedAccessEventlog) - Unknown owner - \.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 11 June 2007 - 05:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum akmarksman :thumbsup:

You've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

****************************

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

****************************

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

***************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 akmarksman

akmarksman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 11 June 2007 - 03:54 PM

Fixwareout log.


Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="cspcd.exe"



Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}6D3C72BF0991-4D4A-5C24-37FD-91046344{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "gtmmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}64F0059A3B04-A1CB-7C74-7E3E-CB3F9FBF{" Deleted
C:\WINPRO\System32\kzmjw.exe Deleted
....
Misc files.
C:\WINPRO\System32\kernel32.exe Deleted
....
Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

Other

Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"AGEIA PhysX SysTray"="C:\\Program Files\\AGEIA Technologies\\TrayIcon.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINPRO\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\j2re1.4.2_14\\bin\\jusched.exe\""
"avp"="C:\\WINPRO\\TEMP\\17.tmp"
"smgr"="smgr.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"iut75"="c:\\winpro\\system32\\drivers\\uzcx.exe"
"startdrv"="C:\\WINPRO\\Temp\\startdrv.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
End report

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 12 June 2007 - 02:08 AM

Follow the rest of the instructions please :thumbsup:
Posted Image
Posted Image

#5 akmarksman

akmarksman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 12 June 2007 - 03:12 AM

ComboFix log

2004-08-18 08:00	  12	--a------	C:\Qoobox\Quarantine\C\WINPRO\ws386.ini.vir
2005-08-10 06:06	  19968	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\drivers\sfsync02.sys.vir
2007-06-06 13:43	  4987	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\ms32.dll.vir
2007-06-06 13:43	  4987	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\set32.dll.vir
2007-06-06 13:43	  4987	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\usr32.dll.vir
2007-06-09 07:36	  19456	--a------	C:\Qoobox\Quarantine\C\WINPRO\avp.exe.vir
2007-06-10 20:11	  18	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\dlh9jkd1q8.exe.vir
2007-06-10 22:16	  0	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\0_exception.nls.vir
2007-06-10 22:16	  16954	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\tmp_0.exe.vir
2007-06-10 22:16	  16954	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\tmp_2.exe.vir
2007-06-10 22:16	  16954	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\tmp_h.exe.vir
2007-06-10 22:16	  16954	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\tmp_r7.exe.vir
2007-06-10 22:16	  4	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\winsub.xml.vir
2007-06-10 22:16	  45206	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\alt.exe.exe.vir
2007-06-10 22:16	  61040	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\xpdx.sys.vir
2007-06-10 22:16	  8192	--a------	C:\Qoobox\Quarantine\C\WINPRO\btn5026v7.exe.vir
2007-06-10 22:16	  91648	--a------	C:\Qoobox\Quarantine\C\WINPRO\msio32.dll.vir
2007-06-11 00:05	  124	--a------	C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINPRO\Documents\Settings\desktop.ini.vir
2007-06-11 21:57	  33408	--a------	C:\Qoobox\Quarantine\C\WINPRO\system32\drivers\runtime2.sys.vir
2007-06-11 23:56	  1024	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NDNET1.reg.cf
2007-06-11 23:56	  1024	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NTNDIS.reg.cf
2007-06-11 23:56	  1034	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.cf
2007-06-11 23:56	  1100	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME2.reg.cf
2007-06-11 23:56	  1374	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_SFSYNC02.reg.cf
2007-06-11 23:56	  2572	--a------	C:\Qoobox\Quarantine\Registry_backups\services_sfsync02.reg.cf
2007-06-11 23:56	  2626	--a------	C:\Qoobox\Quarantine\Registry_backups\services_ntndis.reg.cf
2007-06-11 23:56	  439	--a------	C:\Qoobox\Quarantine\catchme.log
2007-06-11 23:56	  6644	--a------	C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf
2007-06-11 23:56	  780	--a------	C:\Qoobox\Quarantine\Registry_backups\services_NDnet1.reg.cf
2007-06-11 23:56	  816	--a------	C:\Qoobox\Quarantine\Registry_backups\services_runtime.reg.cf


Folder PATH listing
Volume serial number is 71FAE346 580B:75AF
C:\QOOBOX
\---Quarantine
	|   catchme.log
	|   
	+---C
	|   +---Documents and Settings
	|   |   \---All Users.WINPRO
	|   |	   \---Documents
	|   |		   \---Settings
	|   |				   desktop.ini.vir
	|   |				   
	|   \---WINPRO
	|	   |   avp.exe.vir
	|	   |   btn5026v7.exe.vir
	|	   |   msio32.dll.vir
	|	   |   ws386.ini.vir
	|	   |   
	|	   \---system32
	|		   |   0_exception.nls.vir
	|		   |   alt.exe.exe.vir
	|		   |   dlh9jkd1q8.exe.vir
	|		   |   ms32.dll.vir
	|		   |   set32.dll.vir
	|		   |   tmp_0.exe.vir
	|		   |   tmp_2.exe.vir
	|		   |   tmp_h.exe.vir
	|		   |   tmp_r7.exe.vir
	|		   |   usr32.dll.vir
	|		   |   winsub.xml.vir
	|		   |   xpdx.sys.vir
	|		   |   
	|		   \---drivers
	|				   runtime2.sys.vir
	|				   sfsync02.sys.vir
	|				   
	\---Registry_backups
			LEGACY_NDNET1.reg.cf
			LEGACY_NTNDIS.reg.cf
			LEGACY_RUNTIME.reg.cf
			LEGACY_RUNTIME2.reg.cf
			LEGACY_SFSYNC02.reg.cf
			services_NDnet1.reg.cf
			services_nm.reg.cf
			services_ntndis.reg.cf
			services_runtime.reg.cf
			services_sfsync02.reg.cf


I saw on techsupport guy forums about how you delete ntndis using the combofix and creating a notepad document and here's a fresh hijack this log.I'm using ad-aware and Ad-watch is blocking ntndis.exe from changing anything.
There's a internet explorer icon on my desktop and a archived folder called catchme..I'm not touching either one..

Logfile of HijackThis v1.99.1
Scan saved at 00:07, on 2007-06-12
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINPRO\System32\smss.exe
C:\WINPRO\system32\winlogon.exe
C:\WINPRO\system32\services.exe
C:\WINPRO\system32\lsass.exe
C:\WINPRO\system32\svchost.exe
C:\WINPRO\System32\svchost.exe
C:\WINPRO\system32\spoolsv.exe
C:\WINPRO\Explorer.EXE
C:\WINPRO\SOUNDMAN.EXE
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\WINPRO\System32\RunDLL32.exe
C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINPRO\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINPRO\System32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe
O2 - BHO: H - {040FA520-78C6-41ce-81D0-9E733ABC1A29} - C:\WINPRO\System32\comi.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iWon Co-Pilot BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINPRO\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINPRO\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avp] C:\WINPRO\TEMP\17.tmp
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [iut75] c:\winpro\system32\drivers\uzcx.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINPRO\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINPRO\System32\msjava.dll
O15 - Trusted Zone: http://prizemachine.games.iwon.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178581508132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181547529484
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINPRO\System32\svchfg4.dll
O23 - Service: Application Layer Gateway Service ALGMessenger (ALGMessenger) - Unknown owner - C:\WINPRO\System32\ActiveScanb.exe
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINPRO\System32\aspimgr.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINPRO\System32\nvsvc32.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccessEventlog (SharedAccessEventlog) - Unknown owner - \.exe (file missing)

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 12 June 2007 - 03:23 AM

Click on Start/Control Panel/Add or Remove Programs and remove iWon if present,then restart your pc.

*******************************

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.
* Also post a new Hijackthis log please.

Posted Image
Posted Image

#7 akmarksman

akmarksman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 12 June 2007 - 04:00 AM

SDFIX log

SDFix: Version 1.86

Run by user - 2007-06-12 - 0:37:42.10

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
aspimgr

ImagePath:
C:\WINPRO\System32\aspimgr.exe

aspimgr - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINPRO\bot.exe - Deleted
C:\WINPRO\Downloaded Program Files\UDC6_0001_D21M0303NetInstaller.exe - Deleted
C:\WINPRO\system32\drivers\runtime2.sy_ - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINPRO\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINPRO\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINPRO\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Documents and Settings\All Users\William\My Documents\oh noes its h3x\I-Hacked.com Taking Advantage Of Technology - BMW M3 Sequential Gearbox launch_files\Thumbs.db
C:\Documents and Settings\All Users\William\My Documents\oh noes its h3x\I-Hacked.com Taking Advantage Of Technology - Hacking OnStar_files\Thumbs.db
C:\Documents and Settings\All Users\William\My Documents\oh noes its h3x\I-Hacked.com Taking Advantage Of Technology - How to make an M80_files\Thumbs.db
C:\Documents and Settings\All Users\William\My Documents\oh noes its h3x\I-Hacked.com Taking Advantage Of Technology - Install a Wireless Card Into Your XBOX_files\Thumbs.db
C:\found.002\dir0033.chk\Documents\New Folder\CRACK-LOCATOR[1].COM-Windows_XP_Anti_Product_Activation_Crack\.DS_Store
C:\found.002\dir0033.chk\Documents\New Folder\CRACK-LOCATOR[1].COM-Windows_XP_Anti_Product_Activation_Crack\WIN2000\.DS_Store
C:\found.002\dir0033.chk\Documents\New Folder\CRACK-LOCATOR[1].COM-Windows_XP_Anti_Product_Activation_Crack\WIN2000\ULTRA2\.DS_Store
C:\incoming\CRACK-LOCATOR[1].COM-Windows_XP_Anti_Product_Activation_Crack\Thumbs.db
C:\new.exe
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\My Docs\ BILLY\._billymomdaycard.exe
C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe
C:\Windows\system32\?ecurity\taskmgr.exe
C:\WINPRO\system32\acelpdech.exe
C:\WINPRO\system32\acelpdech.exe1477146031.dat
C:\WINPRO\system32\ActiveScanb.exe
C:\WINPRO\system32\svch138.exe
C:\WINPRO\system32\svch67.exe
C:\WINPRO\system32\svchdd.exe
C:\WINPRO\system32\svchj.exe
C:\WINPRO\system32\syst5.exe
C:\WINPRO\system32\syst56.exe
C:\WINPRO\system32\syst8.exe
C:\WINPRO\system32\systrb.exe
C:\WINPRO\system32\win_do.exe
C:\WINPRO\system32\win_vr6.exe
C:\found.002\dir0000.chk\LastGood.Tmp\INF\oem28.inf
C:\found.002\dir0000.chk\LastGood.Tmp\INF\oem28.PNF
C:\WINPRO\system32\config\default.tmp.LOG
C:\WINPRO\system32\config\SAM.tmp.LOG
C:\WINPRO\system32\config\SECURITY.tmp.LOG
C:\WINPRO\system32\config\software.tmp.LOG
C:\WINPRO\system32\config\system.tmp.LOG
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._ABC.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._acidfree.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._acidsolitaire.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._acidsolitaire28e.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._aeroplayerr2.9.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._BackupMan.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._BackupMan11-5-03.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._BackupMan8-04.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._bejeweled-2-2h.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._bejeweled-v2-23vh.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._Calculator10 2.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._clockplus.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._dietexercise.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._dietexercisesetupnew.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._dragonfire_hd.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._freeware_pack.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._ginrummy.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._InWatchPG.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._mileagex.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._Our_Father.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._pjongg.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._playkyodai.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._snapCalc56.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._SpiritualWarfare.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._tactic-1-0.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._timeofprayer2_1h.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._TimeofPrayer2_2.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\._tottutor110.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\ REG #'s\._9.95_bible_v1.1.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\bebop Folder\._BeBop Visit.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\bebop Folder\._bebop.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\bebop Folder.1\._bebop_color.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\bebop Folder.1\._bebop_greyscale.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\DOCS TO GO\._snapCalc56.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Handmark MobileDB\Databases\._Chinese_Animal_-MobileDB.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Handmark MobileDB\Databases\._Coffee_Guru-MobileDB.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Handmark MobileDB\Databases\._Fast_Food_Diabe-MobileDB.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Handmark MobileDB\Databases\._Mac_Characters-MobileDB.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Handmark MobileDB\Databases\._Melbourne_Austr-MobileDB.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Handmark MobileDB\Databases\._Pastel Binders-MobileDB.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Handmark MobileDB\Databases\._Remote_Control_-MobileDB.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Handmark MobileDB\Databases\._Saints_of_the_C-MobileDB.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Handmark MobileDB\Databases\._US_Government_A-MobileDB.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Handmark MobileDB\Databases\._Walden-PalmReader.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Silver\._aicons3.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Silver\._catlovers-theme.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Silver\._greatwall.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Silver\._silver3.2.4..zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Silver\._silver_h.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Silver\._themeboat.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\Silver\._yaniv's_hi-res_bundle.zip
C:\found.002\dir0033.chk\Documents\Mom's stuff\HP Applications\Palm\Download Add-ons\Bought\SPLASH\._splashclock1.06.zip

Listing User Accounts:

User accounts for \\WILLIAM

Administrator Guest HelpAssistant
SUPPORT_388945a0 user

Logfile of HijackThis v1.99.1
Scan saved at 00:52, on 2007-06-12
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINPRO\System32\smss.exe
C:\WINPRO\system32\winlogon.exe
C:\WINPRO\system32\services.exe
C:\WINPRO\system32\lsass.exe
C:\WINPRO\system32\svchost.exe
C:\WINPRO\System32\svchost.exe
C:\WINPRO\Explorer.EXE
C:\WINPRO\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINPRO\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINPRO\System32\nvsvc32.exe
C:\WINPRO\SOUNDMAN.EXE
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\WINPRO\System32\RunDLL32.exe
C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: H - {040FA520-78C6-41ce-81D0-9E733ABC1A29} - C:\WINPRO\System32\comi.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iWon Co-Pilot BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINPRO\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINPRO\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avp] C:\WINPRO\TEMP\17.tmp
O4 - HKLM\..\Run: [smgr] smgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINPRO\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINPRO\System32\msjava.dll
O15 - Trusted Zone: http://prizemachine.games.iwon.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178581508132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181547529484
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINPRO\System32\svchfg4.dll
O23 - Service: Application Layer Gateway Service ALGMessenger (ALGMessenger) - Unknown owner - C:\WINPRO\System32\ActiveScanb.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINPRO\System32\nvsvc32.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccessEventlog (SharedAccessEventlog) - Unknown owner - \.exe (file missing)


Finished

AVG found 2 trojan horses..1 of them is called secdrv.sys and the 2nd one is called xpdx.sys. I put both of them in the virus vault.
I'm going to hold on to the iwon.com stuff because they haven't released a version of their prize machine that works with firefox/mozilla.
I'm going to enable ad-watch and leave avg anti-virus installed.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 12 June 2007 - 02:32 PM

Download Killbox by Option^Explicit:
http://download.bleepingcomputer.com/spyware/KillBox.exe
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINPRO\System32\svchfg4.dll
C:\WINPRO\System32\ActiveScanb.exe


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.

After rebooting, open up Killbox again.
Click 'File'>'Logs'>'Actions History Log'.
Post this log in your next reply.

*******************

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste the following commands pressing Enter after each one:

SC STOP ALGMessenger

SC STOP SharedAccessEventlog


Then type EXIT then press Enter.

*******************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

*******************

Download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: H - {040FA520-78C6-41ce-81D0-9E733ABC1A29} - C:\WINPRO\System32\comi.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [smgr] smgr.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab
O20 - AppInit_DLLs: C:\WINPRO\System32\svchfg4.dll
O23 - Service: Application Layer Gateway Service ALGMessenger (ALGMessenger) - Unknown owner - C:\WINPRO\System32\ActiveScanb.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccessEventlog (SharedAccessEventlog) - Unknown owner - \.exe (file missing)

Exit Hijackthis.

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a new Hijackthis log.
Let me know how your pc is running now.

Posted Image
Posted Image

#9 akmarksman

akmarksman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 12 June 2007 - 07:38 PM

slight problem,I saved killbox to my desktop,I went to open killbox and I got a error message.
"Component MSCOMCTL.OCX or one of its dependencies not correctly registered: a file is missing or invalid"
EDIT:
I found killbox.exe on atribune.org. I saved the program to my desktop and it works..working on what you posted right now.


Pocket Killbox version 2.0.0.588
Running on Windows XP as user(Administrator)
was started @ Tuesday, June 12, 2007, 4:37 PM

# 1 [Delete on Reboot]
Path = C:\WINPRO\System32\ActiveScanb.exe


I Rebooted @ 4:40:50 PM
Killbox Closed(Exit) @ 4:40:51 PM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as user(Administrator)
was started @ Tuesday, June 12, 2007, 4:45 PM
Pocket Killbox version 2.0.0.588
Running on Windows XP as user(Administrator)
was started @ Tuesday, June 12, 2007, 4:37 PM

# 1 [Delete on Reboot]
Path = C:\WINPRO\System32\ActiveScanb.exe


I Rebooted @ 4:40:50 PM
Killbox Closed(Exit) @ 4:40:51 PM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as user(Administrator)
was started @ Tuesday, June 12, 2007, 4:45 PM

# 1 [Delete on Reboot]
Path = C:\WINPRO\System32\svchfg4.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:47:20 PM
Killbox Closed(Exit) @ 4:47:40 PM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as user(Administrator)
was started @ Tuesday, June 12, 2007, 4:49 PM

Edited by akmarksman, 12 June 2007 - 07:54 PM.


#10 akmarksman

akmarksman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 13 June 2007 - 12:19 AM

Logfile of HijackThis v1.99.1
Scan saved at 21:06, on 2007-06-12
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINPRO\System32\smss.exe
C:\WINPRO\system32\winlogon.exe
C:\WINPRO\system32\services.exe
C:\WINPRO\system32\lsass.exe
C:\WINPRO\system32\svchost.exe
C:\WINPRO\System32\svchost.exe
C:\WINPRO\Explorer.EXE
C:\WINPRO\system32\spoolsv.exe
C:\WINPRO\SOUNDMAN.EXE
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\WINPRO\System32\RunDLL32.exe
C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINPRO\System32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINPRO\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINPRO\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avp] C:\WINPRO\TEMP\17.tmp
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [iut75] c:\winpro\system32\drivers\uzcx.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O15 - Trusted Zone: http://prizemachine.games.iwon.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178581508132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181547529484
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINPRO\System32\svchfg4.dll
O23 - Service: Application Layer Gateway Service ALGMessenger (ALGMessenger) - Unknown owner - C:\WINPRO\System32\ActiveScanb.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINPRO\System32\nvsvc32.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccessEventlog (SharedAccessEventlog) - Unknown owner - \.exe (file missing)

Dr.Web log..
iwonbar.dll;c:\program files\iwon\iwonbar\1.bin;Adware.MWS;Incurable.Moved.;
aerialBHDTS21.exe;C:\Documents and Settings\All Users\William\Desktop\BILLY folder on Laptop\MPCCM\aerialBHDTS21;Tool.GameCrack;Incurable.Moved.;
Process.exe;C:\Documents and Settings\user.USER-ESNKPAFFVA\Desktop\malware,spyware stuff\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\user.USER-ESNKPAFFVA\Desktop\malware,spyware stuff\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
cfg32.exe;C:\found.002\dir0000.chk;Adware.BookedSpace;Incurable.Moved.;
System32ftuninst.exe;C:\found.002\dir0000.chk;Adware.Linkmaker;Incurable.Moved.;
System32tfthot.exe;C:\found.002\dir0000.chk;Adware.SearchAid;Incurable.Moved.;
YAXUninst.exe;C:\found.002\dir0000.chk;Adware.MediaTicket;Incurable.Moved.;
YazzleActiveX.ocx;C:\found.002\dir0000.chk\Downloaded Program Files;Adware.ClickSpring;Incurable.Moved.;
IWON2NS.EXE;C:\Program Files\iWon\iWonBar\1.bin;Adware.IWonBar;Incurable.Moved.;
IWONBAR.DLL;C:\Program Files\iWon\iWonBar\1.bin;Adware.MWS;;
NPIWON0.DLL;C:\Program Files\iWon\iWonBar\1.bin;Adware.MyWay;Incurable.Moved.;
IWONSLOT.DLL;C:\Program Files\iWon\iWonSlot\1.bin;Adware.IWonBar;Incurable.Moved.;
pojo.html\Javascript.0;C:\Program Files\Windows Media Player\pojo.html;Trojan.Click.1237;;
pojo.html;C:\Program Files\Windows Media Player;Archive contains infected objects;Moved.;
megedu.html\Javascript.0;C:\Program Files\Windows NT\megedu.html;Trojan.Click.1237;;
megedu.html;C:\Program Files\Windows NT;Archive contains infected objects;Moved.;
msio32.dll.vir;C:\QooBox\Quarantine\C\WINPRO;Trojan.Spambot;Deleted.;
alt.exe.exe.vir;C:\QooBox\Quarantine\C\WINPRO\system32;Trojan.Packed.138;Deleted.;
runtime2.sys.vir;C:\QooBox\Quarantine\C\WINPRO\system32\drivers;BackDoor.Bulknet;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
ftuninst.exe;C:\Windows\system32;Adware.Linkmaker;Incurable.Moved.;
gbe90qs.exe;C:\Windows\system32;Adware.Yavak;Incurable.Moved.;
mptft.exe\data001;C:\Windows\system32\mptft.exe;Adware.SearchAid;;
mptft.exe\data003;C:\Windows\system32\mptft.exe;Adware.Linkmaker;;
mptft.exe;C:\Windows\system32;Archive contains infected objects;Moved.;
Process.exe;C:\Windows\system32;Tool.Prockill;Incurable.Moved.;
ssn6tuu.exe\data001;C:\Windows\system32\ssn6tuu.exe;Adware.Yavak;;
ssn6tuu.exe\data002;C:\Windows\system32\ssn6tuu.exe;Adware.Yavak;;
ssn6tuu.exe;C:\Windows\system32;Archive contains infected objects;Moved.;
tfthot.exe;C:\Windows\system32;Adware.SearchAid;Incurable.Moved.;
x3cqp0.dll;C:\Windows\system32;Adware.Yavak;Incurable.Moved.;
acelpdech.exe;C:\WINPRO\system32;BackDoor.IRC.Sdbot.1356;Deleted.;
lsnpr.exe;C:\WINPRO\system32;Trojan.DnsChange;Incurable.Moved.;
Process.exe;C:\WINPRO\system32;Tool.Prockill;Incurable.Moved.;

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 13 June 2007 - 12:52 AM

ntndis.exe - W32/Rbot-DPG worm and IRC backdoor.

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

********************************

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service's called:
Application Layer Gateway Service ALGMessenger (ALGMessenger)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccessEventlog (SharedAccessEventlog)

In the next window that opens, click their 'Stop' buttons.
Then change their 'Startup Types' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

********************************

Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\drivers\ntndis.exe
c:\winpro\system32\drivers\uzcx.exe


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.

After rebooting, open up Killbox again.
Click 'File'>'Logs'>'Actions History Log'.
Post this log in your next reply.

********************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fixit.reg to your desktop.
Then double click on the fixit.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"

********************************

Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.

Edited by RichieUK, 13 June 2007 - 12:53 AM.

Posted Image
Posted Image

#12 akmarksman

akmarksman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 14 June 2007 - 05:25 PM

Pocket Killbox version 2.0.0.588
Running on Windows XP as user(Administrator)
was started @ Tuesday, June 12, 2007, 4:37 PM

# 1 [Delete on Reboot]
Path = C:\WINPRO\System32\ActiveScanb.exe


I Rebooted @ 4:40:50 PM
Killbox Closed(Exit) @ 4:40:51 PM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as user(Administrator)
was started @ Tuesday, June 12, 2007, 4:45 PM

# 1 [Delete on Reboot]
Path = C:\WINPRO\System32\svchfg4.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:47:20 PM
Killbox Closed(Exit) @ 4:47:40 PM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as user(Administrator)
was started @ Tuesday, June 12, 2007, 4:49 PM

Killbox Closed(Exit) @ 4:53:03 PM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as user(Administrator)
was started @ Wednesday, June 13, 2007, 2:02 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\ntndis.exe


# 2 [Delete on Reboot]
Path = c:\winpro\system32\drivers\uzcx.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:03:50 AM
Killbox Closed(Exit) @ 2:03:53 AM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as user(Administrator)
was started @ Thursday, June 14, 2007, 6:38 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\ntndis.exe


# 2 [Delete on Reboot]
Path = c:\winpro\system32\drivers\uzcx.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\ntndis.exe


I Rebooted @ 6:39:48 AM
Killbox Closed(Exit) @ 6:39:49 AM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as user(Administrator)
was started @ Thursday, June 14, 2007, 6:43 AM

ComboFix 07-06-11.3 - C:\Documents and Settings\user.USER-ESNKPAFFVA\Desktop\malware,spyware stuff\ComboFix.exe
"user" - 2007-06-14 6:44:50 - Service Pack 1 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-14 to 2007-06-14 )))))))))))))))))))))))))))))))


2007-06-13 04:08 <DIR> d-------- C:\Fraps
2007-06-12 17:04 <DIR> d-------- C:\DOCUME~1\USER~1.USE\DoctorWeb
2007-06-12 16:37 <DIR> d-------- C:\!KillBox
2007-06-11 23:55 0 --a------ C:\WINPRO\system32\sfsync02.dll
2007-06-11 23:53 49,152 --a------ C:\WINPRO\nircmd.exe
2007-06-11 06:43 6,590 --a------ C:\dnsbak.reg
2007-06-11 03:31 <DIR> d-------- C:\DOCUME~1\USER~1.USE\APPLIC~1\Lavasoft
2007-06-11 03:30 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-11 03:12 16,954 -r-h----- C:\WINPRO\system32\syst56.exe
2007-06-11 03:02 16,954 -r-h----- C:\WINPRO\system32\syst8.exe
2007-06-11 02:35 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\MySpace
2007-06-11 02:14 16,954 -r-h----- C:\WINPRO\system32\systrb.exe
2007-06-11 00:44 16,954 -r-h----- C:\WINPRO\system32\win_do.exe
2007-06-11 00:34 16,954 -r-h----- C:\WINPRO\system32\svchdd.exe
2007-06-11 00:30 51,200 --a------ C:\WINPRO\system32\dumphive.exe
2007-06-11 00:30 288,417 --a------ C:\WINPRO\system32\SrchSTS.exe
2007-06-11 00:30 16,954 -r-h----- C:\WINPRO\system32\svchj.exe
2007-06-11 00:30 <DIR> d-------- C:\DOCUME~1\ADMINI~1.WIL\APPLIC~1\SUPERAntiSpyware.com
2007-06-11 00:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-11 00:13 <DIR> d-------- C:\DOCUME~1\USER~1.USE\APPLIC~1\SUPERAntiSpyware.com
2007-06-11 00:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~2.WIN\APPLIC~1\SUPERAntiSpyware.com
2007-06-10 23:04 16,954 -r-h----- C:\WINPRO\system32\svch138.exe
2007-06-10 22:50 16,954 -r-h----- C:\WINPRO\system32\svch67.exe
2007-06-10 22:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-10 22:35 16,954 -r-h----- C:\WINPRO\system32\syst5.exe
2007-06-10 22:17 16,954 -r-h----- C:\WINPRO\system32\win_vr6.exe
2007-06-10 21:00 2,020 --a------ C:\WINPRO\system32\tmp.reg
2007-06-10 20:58 786,432 --a------ C:\DOCUME~1\ADMINI~1.WIL\NTUSER.DAT
2007-06-10 20:15 53 --ahs---- C:\WINPRO\system32\acelpdech.exe1477146031.dat
2007-06-10 20:10 <DIR> d-a------ C:\DOCUME~1\ALLUSE~2.WIN\APPLIC~1\TEMP
2007-06-10 19:32 <DIR> d-------- C:\GRAW Mods
2007-06-10 18:58 <DIR> dr-h----- C:\DOCUME~1\USER~1.USE\APPLIC~1\SecuROM
2007-06-10 18:57 98,816 --a------ C:\WINPRO\system32\dmstyle.dll
2007-06-10 18:57 974,848 --a------ C:\WINPRO\system32\dxdiag.exe
2007-06-10 18:57 80,896 --a------ C:\WINPRO\system32\dpvsetup.exe
2007-06-10 18:57 8,192 --a------ C:\WINPRO\system32\d3d8thk.dll
2007-06-10 18:57 797,184 --a------ C:\WINPRO\system32\d3dim700.dll
2007-06-10 18:57 79,360 --a------ C:\WINPRO\system32\dpwsockx.dll
2007-06-10 18:57 77,824 --a------ C:\WINPRO\system32\dpmodemx.dll
2007-06-10 18:57 76,800 --a------ C:\WINPRO\system32\dmscript.dll
2007-06-10 18:57 733,184 --a------ C:\WINPRO\system32\qedwipes.dll
2007-06-10 18:57 723,968 --a------ C:\WINPRO\system32\dpnet.dll
2007-06-10 18:57 7,424 --a------ C:\WINPRO\system32\drivers\mskssrv.sys
2007-06-10 18:57 68,096 --a------ C:\WINPRO\system32\dpnhupnp.dll
2007-06-10 18:57 667,648 --a------ C:\WINPRO\system32\dinput8.dll
2007-06-10 18:57 648,704 --a------ C:\WINPRO\system32\dinput.dll
2007-06-10 18:57 64,512 --a------ C:\WINPRO\system32\amstream.dll
2007-06-10 18:57 602,624 --a------ C:\WINPRO\system32\dx7vb.dll
2007-06-10 18:57 590,336 --a------ C:\WINPRO\system32\d3dramp.dll
2007-06-10 18:57 58,368 --a------ C:\WINPRO\system32\dmcompos.dll
2007-06-10 18:57 5,248 --a------ C:\WINPRO\system32\drivers\mspclock.sys
2007-06-10 18:57 491,520 --a------ C:\WINPRO\system32\dsdmoprp.dll
2007-06-10 18:57 48,512 --a------ C:\WINPRO\system32\drivers\stream.sys
2007-06-10 18:57 470,528 --a------ C:\WINPRO\system32\qdvd.dll
2007-06-10 18:57 47,616 --a------ C:\WINPRO\system32\d3dxof.dll
2007-06-10 18:57 47,104 --a------ C:\WINPRO\system32\wstdecod.dll
2007-06-10 18:57 467,968 --a------ C:\WINPRO\system32\diactfrm.dll
2007-06-10 18:57 44,032 --a------ C:\WINPRO\system32\dimap.dll
2007-06-10 18:57 436,224 --a------ C:\WINPRO\system32\d3dim.dll
2007-06-10 18:57 4,096 --a------ C:\WINPRO\system32\ksuser.dll
2007-06-10 18:57 4,096 --a------ C:\WINPRO\system32\drivers\swenum.sys
2007-06-10 18:57 381,952 --a------ C:\WINPRO\system32\dsound.dll
2007-06-10 18:57 381,952 --a------ C:\WINPRO\system32\dpvoice.dll
2007-06-10 18:57 350,208 --a------ C:\WINPRO\system32\d3drm.dll
2007-06-10 18:57 34,816 --a------ C:\WINPRO\system32\d3dpmesh.dll
2007-06-10 18:57 34,304 --a------ C:\WINPRO\system32\mciqtz32.dll
2007-06-10 18:57 33,280 --a------ C:\WINPRO\system32\dmloader.dll
2007-06-10 18:57 324,096 --a------ C:\WINPRO\system32\mswebdvd.dll
2007-06-10 18:57 32,768 --a------ C:\WINPRO\system32\dpnhpast.dll
2007-06-10 18:57 316,928 --a------ C:\WINPRO\system32\qdv.dll
2007-06-10 18:57 3,072 --a------ C:\WINPRO\system32\dpnlobby.dll
2007-06-10 18:57 3,072 --a------ C:\WINPRO\system32\dpnaddr.dll
2007-06-10 18:57 292,864 --a------ C:\WINPRO\system32\ddraw.dll
2007-06-10 18:57 28,160 --a------ C:\WINPRO\system32\dplaysvr.exe
2007-06-10 18:57 27,136 --a------ C:\WINPRO\system32\dmband.dll
2007-06-10 18:57 257,024 --a------ C:\WINPRO\system32\qcap.dll
2007-06-10 18:57 24,064 --a------ C:\WINPRO\system32\ddrawex.dll
2007-06-10 18:57 230,400 --a------ C:\WINPRO\system32\dplayx.dll
2007-06-10 18:57 223,232 --a------ C:\WINPRO\system32\gcdef.dll
2007-06-10 18:57 19,968 --a------ C:\WINPRO\system32\dpvacm.dll
2007-06-10 18:57 186,880 --a------ C:\WINPRO\system32\dsdmo.dll
2007-06-10 18:57 181,248 --a------ C:\WINPRO\system32\dmime.dll
2007-06-10 18:57 18,944 --a------ C:\WINPRO\system32\encapi.dll
2007-06-10 18:57 18,432 --a------ C:\WINPRO\system32\dswave.dll
2007-06-10 18:57 173,056 --a------ C:\WINPRO\system32\qasf.dll
2007-06-10 18:57 16,896 --a------ C:\WINPRO\system32\msyuv.dll
2007-06-10 18:57 16,896 --a------ C:\WINPRO\system32\dpnsvr.exe
2007-06-10 18:57 132,608 --a------ C:\WINPRO\system32\devenum.dll
2007-06-10 18:57 130,304 --a------ C:\WINPRO\system32\drivers\ks.sys
2007-06-10 18:57 13,312 --a------ C:\WINPRO\system32\msdmo.dll
2007-06-10 18:57 122,880 --a------ C:\WINPRO\system32\dmusic.dll
2007-06-10 18:57 112,128 --a------ C:\WINPRO\system32\dpvvox.dll
2007-06-10 18:57 100,864 --a------ C:\WINPRO\system32\dmsynth.dll
2007-06-10 18:57 10,496 --a------ C:\WINPRO\system32\drivers\dxapi.sys
2007-06-10 18:57 1,962,496 --a------ C:\WINPRO\system32\quartz.dll
2007-06-10 18:57 1,798,144 --a------ C:\WINPRO\system32\qedit.dll
2007-06-10 18:57 1,294,336 --a------ C:\WINPRO\system32\dsound3d.dll
2007-06-10 18:57 1,230,336 --a------ C:\WINPRO\system32\msvidctl.dll
2007-06-10 18:57 1,201,152 --a------ C:\WINPRO\system32\d3d8.dll
2007-06-10 18:57 1,189,888 --a------ C:\WINPRO\system32\dx8vb.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-13 02:50:42 -------- d-----w C:\Program Files\Windows NT
2007-06-13 01:00:28 -------- d-----w C:\Program Files\360Share
2007-06-11 07:22:41 -------- d-----w C:\Program Files\GameSpy Arcade
2007-06-11 04:10:59 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-10 14:55:53 -------- d-----w C:\Program Files\D-Tools
2007-06-06 21:43:23 -------- d-----w C:\Program Files\Movie Maker
2007-06-01 18:48:35 -------- d-----w C:\Program Files\LimeWire
2007-05-31 12:43:32 -------- d-----w C:\Program Files\QuickTime
2007-05-20 02:42:30 -------- d-----w C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2007-05-16 02:24:18 -------- d-----w C:\Program Files\Winamp
2007-05-14 12:01:48 -------- d-----w C:\Program Files\Ubisoft
2007-05-13 13:10:20 -------- d-----w C:\Program Files\Realtek AC97
2007-05-13 13:05:52 552 ----a-w C:\WINPRO\system32\d3d8caps.dat
2007-05-13 13:05:23 -------- d-----w C:\Program Files\SystemRequirementsLab
2007-05-13 13:05:23 -------- d-----w C:\DOCUME~1\USER~1.USE\APPLIC~1\SystemRequirementsLab
2007-05-13 13:04:33 2,771 ----a-w C:\WINPRO\mozver.dat
2007-05-13 12:29:05 -------- d-----w C:\DOCUME~1\USER~1.USE\APPLIC~1\Talkback
2007-05-13 11:48:37 -------- d-----w C:\Program Files\AvRack
2007-05-09 00:57:25 -------- d-----w C:\DOCUME~1\USER~1.USE\APPLIC~1\MySpace
2007-05-09 00:57:24 -------- d-----w C:\Program Files\MySpace
2007-05-09 00:43:20 0 ----a-w C:\WINPRO\nsreg.dat
2007-05-09 00:39:45 100,475 ----a-w C:\WINPRO\UninstallFirefox.exe
2007-05-08 19:24:47 -------- d-----w C:\Program Files\VIA
2007-05-07 21:50:18 21,640 ----a-w C:\WINPRO\system32\emptyregdb.dat
2007-05-03 19:55:01 0 ----a-w C:\AUTOEXEC.BAT
2007-05-03 19:53:51 -------- d-----w C:\Program Files\Online Services
2007-03-16 05:27:14 40,960 ----a-w C:\WINPRO\system32\frapsvid.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 00:47]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 04:42 C:\WINPRO\SOUNDMAN.EXE]
"AGEIA PhysX SysTray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 11:43]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINPRO\system32\nvmctray.dll]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe" [2007-03-14 17:23]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-12 09:08]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2004-09-02 13:03]
"NvCplDaemon"="C:\WINPRO\System32\NvCpl.dll" [2006-10-22 12:22]
"avp"="C:\WINPRO\TEMP\17.tmp" []
"smgr"="smgr.exe" []
"iut75"="c:\winpro\system32\drivers\uzcx.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINPRO\System32\svchfg4.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 06:47:27
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-14 6:47:50
C:\ComboFix-quarantined-files.txt ... 2007-06-14 06:47
C:\ComboFix2.txt ... 2007-06-11 23:59

--- E O F ---

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 14 June 2007 - 06:24 PM

Could you post the new Hijackthis log as requested.
Posted Image
Posted Image

#14 akmarksman

akmarksman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 18 June 2007 - 10:32 AM

Sorry for the delay..I was offline,building a computer for my nephew.

HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 07:31, on 2007-06-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINPRO\System32\smss.exe
C:\WINPRO\system32\winlogon.exe
C:\WINPRO\system32\services.exe
C:\WINPRO\system32\lsass.exe
C:\WINPRO\system32\svchost.exe
C:\WINPRO\System32\svchost.exe
C:\WINPRO\system32\spoolsv.exe
C:\WINPRO\Explorer.exe
C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINPRO\System32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINPRO\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINPRO\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINPRO\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avp] C:\WINPRO\TEMP\17.tmp
O4 - HKLM\..\Run: [iut75] c:\winpro\system32\drivers\uzcx.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O15 - Trusted Zone: http://prizemachine.games.iwon.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178581508132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181547529484
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINPRO\System32\svchfg4.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINPRO\System32\nvsvc32.exe

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 18 June 2007 - 01:20 PM

Please disable Ad-Aware's Ad-Watch or it will interfere:

1. Right click on the Ad-Watch icon in the system tray.
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".

Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically

3. Uncheck both of those boxes.

**********************************

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINPRO\system32\sfsync02.dll
C:\WINPRO\system32\syst56.exe
C:\WINPRO\system32\syst8.exe
C:\WINPRO\system32\systrb.exe
C:\WINPRO\system32\win_do.exe
C:\WINPRO\system32\svchdd.exe
C:\WINPRO\system32\svchj.exe
C:\WINPRO\system32\svch138.exe
C:\WINPRO\system32\svch67.exe
C:\WINPRO\system32\syst5.exe
C:\WINPRO\system32\win_vr6.exe
C:\WINPRO\system32\acelpdech.exe1477146031.dat

Folders to delete:
C:\Program Files\GameSpy Arcade

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

**********************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [avp] C:\WINPRO\TEMP\17.tmp
O4 - HKLM\..\Run: [iut75] c:\winpro\system32\drivers\uzcx.exe
O15 - Trusted Zone: http://prizemachine.games.iwon.com
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O20 - AppInit_DLLs: C:\WINPRO\System32\svchfg4.dll

Exit Hijackthis.

**********************************

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

Restart your pc.
Post the Avenger output.txt,and a new Hijackthis log into your next reply please.
Let me know how your pc is running now.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users