Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Multiple Trojans and Viruses Found Multiple Trojans and Viruses Found
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 10-14-2006, 06:17 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 7
OS: XP


Multiple Trojans and Viruses Found
I have followed the 5 Step Process and I am now ready to post the HJT log file for analsys. The anti spyware and anti virus programs found many items, most notably:

TROJ_GENERIC
TROJ_DLOADER.DHU
BKDR_AGENT.E
ADWARE_EZULA
ADWARE_DYFUCA
ADWARE_WINTOOLS
ADWARE_IBIS.WEBSEARCH

After performing all 5 Steps and supposedly cleaning all of these, here is the HJT log, please let me know if you see anything else that is left over:

Logfile of HijackThis v1.99.1
Scan saved at 9:07:41 PM, on 10/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\FNTS~1\smss.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ML4485~1.LAY\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ML4485~1.LAY\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://media61.fastclick.net/w/safep...40&nfcp=1&fp=2
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
R3 - URLSearchHook: (no name) - {BF353A58-879A-D339-E41A-FD7A90E35BB5} - C:\WINDOWS\System32\tmjvnc.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {58E46400-9DF1-DC70-C90B-F8342038AFA9} - C:\WINDOWS\System32\tnxqn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9DC85BF5-F250-E8D9-3BC0-C47754093BA7} - C:\WINDOWS\System32\iixzlo.dll (file missing)
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll (file missing)
O2 - BHO: (no name) - {BF353A58-879A-D339-E41A-FD7A90E35BB5} - C:\WINDOWS\System32\tmjvnc.dll
O2 - BHO: (no name) - {CB1D77E9-60F2-474B-91BF-E6DE4790EEE7} - C:\WINDOWS\System32\nmcmjda.dll (file missing)
O2 - BHO: (no name) - {CB560B22-FADB-E852-E22A-CF979A046DA6} - C:\WINDOWS\System32\arcwwiy.dll (file missing)
O2 - BHO: (no name) - {F5E9E504-4EFC-0F77-9A2D-7F2C718055A4} - C:\WINDOWS\System32\rdfkkcf.dll (file missing)
O2 - BHO: (no name) - {F8DC8A09-25A1-3877-CF18-193A10585DF5} - C:\WINDOWS\System32\btyazg.dll (file missing)
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PTRGMYGK] rundll32.exe ptmg1v.dll,DllRunMain
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Services] svssshost.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Sovvx] C:\WINDOWS\System32\t?skmgr.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SCURIT~1\arpa.exe" -vt mt
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Corp] "C:\WINDOWS\FNTS~1\smss.exe" -vt mt
O4 - HKCU\..\Run: [Yccpg] C:\Program Files\s?stem\?ttrib.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1160873554078
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: awvtu - C:\WINDOWS\System32\awvtu.dll (file missing)
O20 - Winlogon Notify: winvhi32 - winvhi32.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Darth Evader is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-17-2006, 05:39 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 24,583
OS: 2000 Pro; XP Pro; XP Home


That's quite a mess you're cleaning up. This will take some time.

First, let's get some protection on your system.

Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

Please download and install this excellent and FREE anti-virus program:

Please download Active Virus Shield (powered by Kaspersky) and save it to your desktop.
  • Please remember to register for your Activation Code using a legitimate email address.
  • Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process:





  • Then please update the program and run a systemwide scan. Allow it to neutralize all that it finds.
  • When done, launch Active Virus Shield's main window.





  • Click the Scan button on the left, and then click Detected.





  • In the ensuing window, click the Save As button to save a copy of the log.
  • Copy and paste that log in your next reply, at the end of this fix.
Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

---------------------------------------------------------------------------------------------

Next, let's clean some junk.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop. We'll use this later.


Download About Buster 6.0 and unzip it to your desktop. We'll use this later.

Download CWShredder and run it. Click on Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

---------------------------------------------------------------------------------------------

Download AVG Anti-Spyware
  • Install AVG Anti-Spyware
  • Double-click the icon on Desktop to launch AVG Anti-Spyware
You will need to update AVG Anti-Spyware to the latest definition files.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

1. Download this file from one of these locations:

http://download.bleepingcomputer.com/sUBs/combofix.exe

http://www.techsupportforum.com/sectools/combofix.exe


* IMPORTANT !!! Place it on your Desktop.


2. Go to Start -> Run and then paste in this single line command & click OK
"%userprofile%\desktop\combofix.exe" /v tmjvnc


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

3. When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WinTools
Web Offer
PeoplePal Toolbar

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ML4485~1.LAY\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ML4485~1.LAY\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://media61.fastclick.net/w/safep...40&nfcp=1&fp=2
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
R3 - URLSearchHook: (no name) - {BF353A58-879A-D339-E41A-FD7A90E35BB5} - C:\WINDOWS\System32\tmjvnc.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {58E46400-9DF1-DC70-C90B-F8342038AFA9} - C:\WINDOWS\System32\tnxqn.dll (file missing)
O2 - BHO: (no name) - {9DC85BF5-F250-E8D9-3BC0-C47754093BA7} - C:\WINDOWS\System32\iixzlo.dll (file missing)
O2 - BHO: (no name) - {BF353A58-879A-D339-E41A-FD7A90E35BB5} - C:\WINDOWS\System32\tmjvnc.dll
O2 - BHO: (no name) - {CB1D77E9-60F2-474B-91BF-E6DE4790EEE7} - C:\WINDOWS\System32\nmcmjda.dll (file missing)
O2 - BHO: (no name) - {CB560B22-FADB-E852-E22A-CF979A046DA6} - C:\WINDOWS\System32\arcwwiy.dll (file missing)
O2 - BHO: (no name) - {F5E9E504-4EFC-0F77-9A2D-7F2C718055A4} - C:\WINDOWS\System32\rdfkkcf.dll (file missing)
O2 - BHO: (no name) - {F8DC8A09-25A1-3877-CF18-193A10585DF5} - C:\WINDOWS\System32\btyazg.dll (file missing)
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll (file missing)
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [PTRGMYGK] rundll32.exe ptmg1v.dll,DllRunMain
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [Microsoft Services] svssshost.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Sovvx] C:\WINDOWS\System32\t?skmgr.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SCURIT~1\arpa.exe" -vt mt
O4 - HKCU\..\Run: [Corp] "C:\WINDOWS\FNTS~1\smss.exe" -vt mt
O4 - HKCU\..\Run: [Yccpg] C:\Program Files\s?stem\?ttrib.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: awvtu - C:\WINDOWS\System32\awvtu.dll (file missing)
O20 - Winlogon Notify: winvhi32 - winvhi32.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)



Close HijackThis now.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

C:\program files\common files\WinTools
C:\program files\Web Offer
c:\x.cab

Find these via Start>Search and delete if found:

svssshost.exe
ptmg1v.dll
D0CE0C16B1


---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

---------------------------------------------------------------------------------------------


Run AboutBuster 6.0 and select "Begin Removal". Make sure you click "Yes" to every message box that appears.

---------------------------------------------------------------------------------------------

Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

---------------------------------------------------------------------------------------------

Once back in normal Windows:

Run AboutBuster one final time. Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.

---------------------------------------------------------------------------------------------

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

Click on the "Free To Use ActiveScan" located on the top right hand corner
  1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

ActiveVirusShield
ComboFix (located at C:\ComboFix.txt)
AVG Anti-Spyware
AboutBuster
SmitfraudFix (Located at C:\rapport.txt)
Panda online scan
HJT

This will likely take mulitple posts to get all the logs back to me.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
Our help is voluntary, but this site needs donations to operate.
Please consider Donating to the Forum.

Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-18-2006, 06:21 PM   #3 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 7
OS: XP


Thanks a ton for helping with this issue. Between my original post and your reply, I did a little more work in cleaning the system up...but not much. The first scan, from Active AntiVirus, created a report that was almost 200,000 lines long so I didn't include all of that here. I did include the summaries though. I followed your directions and here are the logs:

***Start Active Anti Virus Shield Log (The full log was 160,00 lines)***
Scan My Computer
----------------
Scanned: 127574
Detected: 1
Untreated: 0
Start time: 10/18/2006 7:11:17 PM
Duration: 00:32:34
Finish time: 10/18/2006 7:43:51 PM


Detected
--------
Status Object
------ ------
deleted: adware not-a-virus:AdWare.Win32.PurityScan.ak File: C:\RECYCLER\S-1-5-21-1060284298-682003330-725345543-1004\Dc1.old

Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archived Compressed Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ---------- ------------------ ---------
Total 127574 1 1 0 0 1219 175 147 3
System Memory 2950 0 0 0 0 2 5 0 0
Startup Objects 1707 0 0 0 0 1 8 0 0
System Restore 2 0 0 0 0 0 0 0 0
Mailboxes 0 0 0 0 0 0 0 0 0
All Hard Drives 122915 1 1 0 0 1216 162 147 3


Settings
--------
Name Value
---- -----
Security Level Recommended
Action Prompt for action when the scan is complete
File types All
Scan new and changed files only No
Scan archives All
Scan embedded OLE objects All
Skip if object is greater than No
Skip if scan takes longer than No
Parse e-mail formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Show detected threats on "Detected" tab Yes

***End Active Anti Virus Shield Log***


***Start Combo Fix Log****
M.L. Layman - 06-10-18 19:54:13.43 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\M.L. Layman\desktop"
Command switches used :: /v tmjvnc

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components
C:\Program Files\Common Files\{C4726C7B-0AE6-1033-1002-020614020001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\M.L. Layman\Application Data\RACLE~1
C:\QooBox\Purity\Documents and Settings\M.L. Layman\My Documents\PPPATC~1
C:\QooBox\Purity\Program Files\SCURIT~1
C:\QooBox\Purity\Program Files\SSTEM~1
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\SCURIT~1\SCURIT~1
C:\QooBox\Purity\Program Files\SSTEM~1\?ttrib_exe.vir
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\FNTS~1\F?nts
C:\QooBox\Purity\WINDOWS\system32\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-18 to 2006-10-18 ))))))))))))))))))))))))))))))))))


2006-10-18 19:52 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-16 19:20 173,184 --a------ C:\WINDOWS\system32\ygpss.scr
2006-10-16 19:19 102,400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll
2006-10-16 19:19 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2006-10-15 16:36 90,112 --------- C:\WINDOWS\Updreg.EXE
2006-10-15 16:36 61,440 --a------ C:\WINDOWS\MIDIDEF.EXE
2006-10-15 16:36 24,576 --a------ C:\WINDOWS\system32\CTDevCRes.dll
2006-10-15 16:36 24,576 --a------ C:\WINDOWS\MIXERDEF.EXE
2006-10-15 16:36 20,480 --a------ C:\WINDOWS\INRES.DLL
2006-10-15 16:36 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2006-10-15 16:35 6,752 --------- C:\WINDOWS\system32\PFMODNT.SYS
2006-10-15 16:35 15,840 --------- C:\WINDOWS\system32\drivers\PFMODNT.SYS
2006-10-15 15:15 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-10-14 20:25 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-10-14 20:19 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-10-14 20:19 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-10-14 17:56 95,424 --------- C:\WINDOWS\system32\drivers\slnthal.sys
2006-10-14 17:56 940,544 --a------ C:\WINDOWS\system32\wmspdmoe.dll
2006-10-14 17:56 937,984 --------- C:\WINDOWS\system32\winbrand.dll
2006-10-14 17:56 9,216 --------- C:\WINDOWS\system32\proxycfg.exe
2006-10-14 17:56 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2006-10-14 17:56 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll
2006-10-14 17:56 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2006-10-14 17:56 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2006-10-14 17:56 81,920 --------- C:\WINDOWS\system32\ieencode.dll
2006-10-14 17:56 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2006-10-14 17:56 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2006-10-14 17:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-10-14 17:56 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2006-10-14 17:56 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2006-10-14 17:56 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2006-10-14 17:56 73,796 --------- C:\WINDOWS\system32\slserv.exe
2006-10-14 17:56 73,216 --------- C:\WINDOWS\system32\drivers\atintuxx.sys
2006-10-14 17:56 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2006-10-14 17:56 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-10-14 17:56 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2006-10-14 17:56 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2006-10-14 17:56 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2006-10-14 17:56 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2006-10-14 17:56 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2006-10-14 17:56 7,168 --------- C:\WINDOWS\system32\hccoin.dll
2006-10-14 17:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-10-14 17:56 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2006-10-14 17:56 67,584 --------- C:\WINDOWS\system32\drivers\sdbus.sys
2006-10-14 17:56 63,663 --------- C:\WINDOWS\system32\drivers\ati1rvxx.sys
2006-10-14 17:56 63,488 --------- C:\WINDOWS\system32\drivers\atinxsxx.sys
2006-10-14 17:56 60,416 --------- C:\WINDOWS\system32\fwcfg.dll
2006-10-14 17:56 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll
2006-10-14 17:56 6,656 --------- C:\WINDOWS\system32\kbdinben.dll
2006-10-14 17:56 6,144 --------- C:\WINDOWS\system32\kbdmlt48.dll
2006-10-14 17:56 6,144 --------- C:\WINDOWS\system32\kbdmlt47.dll
2006-10-14 17:56 6,144 --------- C:\WINDOWS\system32\kbdinbe1.dll
2006-10-14 17:56 6,016 --------- C:\WINDOWS\system32\drivers\smbali.sys
2006-10-14 17:56 59,648 --------- C:\WINDOWS\system32\drivers\rfcomm.sys
2006-10-14 17:56 59,392 --------- C:\WINDOWS\system32\logman.exe
2006-10-14 17:56 57,856 --------- C:\WINDOWS\system32\drivers\atinbtxx.sys
2006-10-14 17:56 56,623 --------- C:\WINDOWS\system32\drivers\ati1btxx.sys
2006-10-14 17:56 537,088 --------- C:\WINDOWS\system32\msftedit.dll
2006-10-14 17:56 526,848 --------- C:\WINDOWS\system32\p2psvc.dll
2006-10-14 17:56 52,224 --------- C:\WINDOWS\system32\drivers\atinraxx.sys
2006-10-14 17:56 516,768 --------- C:\WINDOWS\system32\ativvaxx.dll
2006-10-14 17:56 50,688 --------- C:\WINDOWS\system32\btpanui.dll
2006-10-14 17:56 50,176 --------- C:\WINDOWS\system32\xmlprovi.dll
2006-10-14 17:56 5,632 --------- C:\WINDOWS\system32\kbdmaori.dll
2006-10-14 17:56 49,152 --------- C:\WINDOWS\system32\powercfg.exe
2006-10-14 17:56 48,640 --------- C:\WINDOWS\system32\pnrpnsp.dll
2006-10-14 17:56 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2006-10-14 17:56 452,736 --------- C:\WINDOWS\system32\drivers\mtxparhm.sys
2006-10-14 17:56 44,928 --------- C:\WINDOWS\system32\drivers\agpcpq.sys
2006-10-14 17:56 44,672 --------- C:\WINDOWS\system32\drivers\uagp35.sys
2006-10-14 17:56 44,032 --------- C:\WINDOWS\system32\twext.dll
2006-10-14 17:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2006-10-14 17:56 43,008 --------- C:\WINDOWS\system32\drivers\amdagp.sys
2006-10-14 17:56 42,752 --------- C:\WINDOWS\system32\drivers\alim1541.sys
2006-10-14 17:56 42,240 --------- C:\WINDOWS\system32\drivers\viaagp.sys
2006-10-14 17:56 413,944 --a------ C:\WINDOWS\system32\wmspdmod.dll
2006-10-14 17:56 41,088 --------- C:\WINDOWS\system32\drivers\sisagp.sys
2006-10-14 17:56 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys
2006-10-14 17:56 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2006-10-14 17:56 4,096 --------- C:\WINDOWS\system32\dsprpres.dll
2006-10-14 17:56 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2006-10-14 17:56 384,512 --------- C:\WINDOWS\system32\mp4sdmod.dll
2006-10-14 17:56 38,016 --------- C:\WINDOWS\system32\drivers\bthmodem.sys
2006-10-14 17:56 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2006-10-14 17:56 37,376 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2006-10-14 17:56 36,463 --------- C:\WINDOWS\system32\drivers\ati1tuxx.sys
2006-10-14 17:56 36,096 --------- C:\WINDOWS\system32\drivers\intelppm.sys
2006-10-14 17:56 35,456 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2006-10-14 17:56 34,735 --------- C:\WINDOWS\system32\drivers\ati1xsxx.sys
2006-10-14 17:56 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2006-10-14 17:56 32,866 --------- C:\WINDOWS\system32\slrundll.exe
2006-10-14 17:56 32,866 --------- C:\WINDOWS\slrundll.exe
2006-10-14 17:56 32,768 --------- C:\WINDOWS\system32\ativtmxx.dll
2006-10-14 17:56 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2006-10-14 17:56 312,320 --------- C:\WINDOWS\system32\p2pgraph.dll
2006-10-14 17:56 310,272 --------- C:\WINDOWS\system32\mp43dmod.dll
2006-10-14 17:56 31,744 --------- C:\WINDOWS\system32\drivers\atinxbxx.sys
2006-10-14 17:56 30,671 --------- C:\WINDOWS\system32\drivers\ati1raxx.sys
2006-10-14 17:56 30,208 --------- C:\WINDOWS\system32\bthserv.dll
2006-10-14 17:56 30,080 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2006-10-14 17:56 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2006-10-14 17:56 3,901 --------- C:\WINDOWS\system32\drivers\siint5.dll
2006-10-14 17:56 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2006-10-14 17:56 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2006-10-14 17:56 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2006-10-14 17:56 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2006-10-14 17:56 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2006-10-14 17:56 29,455 --------- C:\WINDOWS\system32\drivers\ati1xbxx.sys
2006-10-14 17:56 29,184 --------- C:\WINDOWS\system32\sdhcinst.dll
2006-10-14 17:56 29,056 --------- C:\WINDOWS\system32\drivers\ip6fw.sys
2006-10-14 17:56 286,792 --------- C:\WINDOWS\system32\slextspk.dll
2006-10-14 17:56 282,624 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-10-14 17:56 28,672 --------- C:\WINDOWS\system32\drivers\atinsnxx.sys
2006-10-14 17:56 274,304 --------- C:\WINDOWS\system32\drivers\bthport.sys
2006-10-14 17:56 270,848 --------- C:\WINDOWS\system32\sbe.dll
2006-10-14 17:56 262,784 --------- C:\WINDOWS\system32\drivers\http.sys
2006-10-14 17:56 26,624 --------- C:\WINDOWS\system32\drivers\usbehci.sys
2006-10-14 17:56 26,367 --------- C:\WINDOWS\system32\drivers\ati1snxx.sys
2006-10-14 17:56 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2006-10-14 17:56 25,471 --------- C:\WINDOWS\system32\drivers\watv10nt.sys
2006-10-14 17:56 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll
2006-10-14 17:56 25,088 --a------ C:\WINDOWS\system32\MsPMSNSv.dll
2006-10-14 17:56 24,576 --------- C:\WINDOWS\system32\httpapi.dll
2006-10-14 17:56 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-10-14 17:56 229,376 --------- C:\WINDOWS\system32\ati2cqag.dll
2006-10-14 17:56 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2006-10-14 17:56 22,271 --------- C:\WINDOWS\system32\drivers\watv06nt.sys
2006-10-14 17:56 21,343 --------- C:\WINDOWS\system32\drivers\ati1ttxx.sys
2006-10-14 17:56 21,183 --------- C:\WINDOWS\system32\drivers\atv01nt5.dll
2006-10-14 17:56 201,728 --------- C:\WINDOWS\system32\ati2dvag.dll
2006-10-14 17:56 20,992 --------- C:\WINDOWS\system32\bthci.dll
2006-10-14 17:56 193,024 --------- C:\WINDOWS\system32\fsquirt.exe
2006-10-14 17:56 189,440 --a------ C:\WINDOWS\system32\wmerror.dll
2006-10-14 17:56 188,508 --------- C:\WINDOWS\system32\slgen.dll
2006-10-14 17:56 187,392 --------- C:\WINDOWS\system32\xpsp1res.dll
2006-10-14 17:56 186,368 --------- C:\WINDOWS\system32\encdec.dll
2006-10-14 17:56 180,360 --------- C:\WINDOWS\system32\drivers\ntmtlfax.sys
2006-10-14 17:56 18,944 --------- C:\WINDOWS\system32\drivers\bthusb.sys
2006-10-14 17:56 17,408 --------- C:\WINDOWS\system32\winshfhc.dll
2006-10-14 17:56 17,279 --------- C:\WINDOWS\system32\drivers\atv10nt5.dll
2006-10-14 17:56 17,024 --------- C:\WINDOWS\system32\drivers\bthenum.sys
2006-10-14 17:56 166,912 --------- C:\WINDOWS\system32\drivers\s3gnbm.sys
2006-10-14 17:56 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-10-14 17:56 159,232 --------- C:\WINDOWS\system32\sbeio.dll
2006-10-14 17:56 150,016 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-14 17:56 15,872 --------- C:\WINDOWS\system32\w3ssl.dll
2006-10-14 17:56 15,488 --------- C:\WINDOWS\system32\drivers\mssmbios.sys
2006-10-14 17:56 15,423 --------- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2006-10-14 17:56 15,104 --------- C:\WINDOWS\system32\drivers\hidir.sys
2006-10-14 17:56 14,336 --------- C:\WINDOWS\system32\drivers\atinpdxx.sys
2006-10-14 17:56 14,336 --------- C:\WINDOWS\system32\auditusr.exe
2006-10-14 17:56 14,143 --------- C:\WINDOWS\system32\drivers\atv06nt5.dll
2006-10-14 17:56 135,168 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-10-14 17:56 134,656 --------- C:\WINDOWS\system32\mssap.dll
2006-10-14 17:56 13,824 --------- C:\WINDOWS\system32\wscntfy.exe
2006-10-14 17:56 13,824 --------- C:\WINDOWS\system32\drivers\atinttxx.sys
2006-10-14 17:56 13,824 --------- C:\WINDOWS\system32\drivers\atinmdxx.sys
2006-10-14 17:56 13,824 --------- C:\WINDOWS\system32\cmsetacl.dll
2006-10-14 17:56 13,776 --------- C:\WINDOWS\system32\drivers\recagent.sys
2006-10-14 17:56 13,568 --------- C:\WINDOWS\system32\drivers\wacompen.sys
2006-10-14 17:56 13,240 --------- C:\WINDOWS\system32\drivers\slwdmsup.sys
2006-10-14 17:56 129,536 --------- C:\WINDOWS\system32\xmlprov.dll
2006-10-14 17:56 129,535 --------- C:\WINDOWS\system32\drivers\slnt7554.sys
2006-10-14 17:56 128,896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-10-14 17:56 126,686 --------- C:\WINDOWS\system32\drivers\mtlmnt5.sys
2006-10-14 17:56 12,672 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2006-10-14 17:56 12,672 --------- C:\WINDOWS\system32\drivers\mutohpen.sys
2006-10-14 17:56 12,416 --------- C:\WINDOWS\system32\drivers\tunmp.sys
2006-10-14 17:56 12,047 --------- C:\WINDOWS\system32\drivers\ati1pdxx.sys
2006-10-14 17:56 118,784 --------- C:\WINDOWS\system32\msdadiag.dll
2006-10-14 17:56 116,224 --------- C:\WINDOWS\system32\p2p.dll
2006-10-14 17:56 11,935 --------- C:\WINDOWS\system32\drivers\wadv11nt.sys
2006-10-14 17:56 11,871 --------- C:\WINDOWS\system32\drivers\wadv09nt.sys
2006-10-14 17:56 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2006-10-14 17:56 11,807 --------- C:\WINDOWS\system32\drivers\wadv07nt.sys
2006-10-14 17:56 11,615 --------- C:\WINDOWS\system32\drivers\ati1mdxx.sys
2006-10-14 17:56 11,359 --------- C:\WINDOWS\system32\drivers\atv02nt5.dll
2006-10-14 17:56 11,325 --------- C:\WINDOWS\system32\drivers\vchnt5.dll
2006-10-14 17:56 11,295 --------- C:\WINDOWS\system32\drivers\wadv08nt.sys
2006-10-14 17:56 11,136 --------- C:\WINDOWS\system32\drivers\sffdisk.sys
2006-10-14 17:56 108,032 --------- C:\WINDOWS\system32\wshbth.dll
2006-10-14 17:56 104,960 --------- C:\WINDOWS\system32\drivers\atinrvxx.sys
2006-10-14 17:56 100,992 --------- C:\WINDOWS\system32\drivers\bthpan.sys
2006-10-14 17:56 10,240 --------- C:\WINDOWS\system32\drivers\sffp_sd.sys
2006-10-14 17:56 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2006-10-14 17:56 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2006-10-14 17:56 1,309,184 --------- C:\WINDOWS\system32\drivers\mtlstrm.sys
2006-10-14 17:56 1,119,744 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-14 17:56 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2006-10-14 17:56 1,003,008 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-14 17:51 2,897,920 --------- C:\WINDOWS\system32\xpsp2res.dll
2006-10-14 17:49 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-14 17:39 98,304 --a------ C:\WINDOWS\system32\nvrsja.dll
2006-10-14 17:39 86,016 --a------ C:\WINDOWS\system32\nvwrsptb.dll
2006-10-14 17:39 86,016 --a------ C:\WINDOWS\system32\nvwrsit.dll
2006-10-14 17:39 86,016 --a------ C:\WINDOWS\system32\nvwrses.dll
2006-10-14 17:39 86,016 --a------ C:\WINDOWS\system32\nvwrsde.dll
2006-10-14 17:39 81,920 --a------ C:\WINDOWS\system32\nvwrsnl.dll
2006-10-14 17:39 81,920 --a------ C:\WINDOWS\system32\nvwrsfr.dll
2006-10-14 17:39 81,920 --a------ C:\WINDOWS\system32\nvwrsfi.dll
2006-10-14 17:39 81,920 --a------ C:\WINDOWS\system32\nvrszht.dll
2006-10-14 17:39 81,920 --a------ C:\WINDOWS\system32\nvrszhc.dll
2006-10-14 17:39 77,824 --a------ C:\WINDOWS\system32\nvwrssv.dll
2006-10-14 17:39 77,824 --a------ C:\WINDOWS\system32\nvwrsno.dll
2006-10-14 17:39 77,824 --a------ C:\WINDOWS\system32\nvwrsda.dll
2006-10-14 17:39 77,824 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-10-14 17:39 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2006-10-14 17:39 57,600 --a------ C:\WINDOWS\system32\drivers\usbhub.sys
2006-10-14 17:39 57,344 --a------ C:\WINDOWS\system32\nvwrsja.dll
2006-10-14 17:39 53,248 --a------ C:\WINDOWS\system32\Prounstl.exe
2006-10-14 17:39 45,056 --a------ C:\WINDOWS\system32\nvwrszht.dll
2006-10-14 17:39 45,056 --a------ C:\WINDOWS\system32\nvwrszhc.dll
2006-10-14 17:39 42,368 --a------ C:\WINDOWS\system32\drivers\agp440.sys
2006-10-14 17:39 4,841,472 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-10-14 17:39 3,902,603 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-10-14 17:39 3,850,240 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-10-14 17:39 3,328 --a------ C:\WINDOWS\system32\drivers\pciide.sys
2006-10-14 17:39 25,088 --a------ C:\WINDOWS\system32\drivers\pciidex.sys
2006-10-14 17:39 23,040 --a------ C:\WINDOWS\system32\IntelNic.dll
2006-10-14 17:39 20,480 --a------ C:\WINDOWS\system32\drivers\usbuhci.sys
2006-10-14 17:39 142,976 --a------ C:\WINDOWS\system32\drivers\usbport.sys
2006-10-14 17:39 139,776 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2006-10-14 17:39 135,168 --a------ C:\WINDOWS\system32\nvrsit.dll
2006-10-14 17:39 135,168 --a------ C:\WINDOWS\system32\nvrses.dll
2006-10-14 17:39 131,072 --a------ C:\WINDOWS\system32\nvrsptb.dll
2006-10-14 17:39 131,072 --a------ C:\WINDOWS\system32\nvrsnl.dll
2006-10-14 17:39 131,072 --a------ C:\WINDOWS\system32\nvrsfr.dll
2006-10-14 17:39 131,072 --a------ C:\WINDOWS\system32\nvrsde.dll
2006-10-14 17:39 126,976 --a------ C:\WINDOWS\system32\nvrssv.dll
2006-10-14 17:39 126,976 --a------ C:\WINDOWS\system32\nvrsfi.dll
2006-10-14 17:39 126,976 --a------ C:\WINDOWS\system32\nvrsda.dll
2006-10-14 17:39 126,976 --a------ C:\WINDOWS\system32\nvinstnt.dll
2006-10-14 17:39 122,880 --a------ C:\WINDOWS\system32\nvrsno.dll
2006-10-14 17:39 1,341,339 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-10-14 17:38 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2006-10-14 17:38 68,224 --a------ C:\WINDOWS\system32\drivers\pci.sys
2006-10-14 17:38 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2006-10-14 17:38 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2006-10-14 17:38 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2006-10-14 17:38 13,632 --------- C:\WINDOWS\system32\drivers\omci.sys
2006-10-14 17:37 2 --a------ C:\WINDOWS\system32\wtstr.exe
2006-09-30 20:52 32,768 --a------ C:\WINDOWS\system32\instlsp.exe
2006-09-30 20:52 11,264 --a------ C:\WINDOWS\system32\sporder.dll
2006-09-21 13:50 0 --a------ C:\AUTOEXEC.BAT
2006-09-21 13:48 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-09-21 13:48 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-09-21 13:44 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-09-21 13:44 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-09-20 16:06 94,208 --------- C:\WINDOWS\system32\mclsp.dll
2006-09-19 11:16 916,955 --ahs---- C:\WINDOWS\system32\utvwa.bak2
2006-09-18 23:11 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-09-18 23:11 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-09-18 23:11 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-09-18 23:11 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2006-09-18 23:11 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-09-18 23:11 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-09-18 12:01 925,753 --ahs---- C:\WINDOWS\system32\utvwa.bak1


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-18 19:54 -------- d-a------ C:\Program Files\Common Files
2006-10-18 19:52 -------- d-------- C:\Program Files\Grisoft
2006-10-18 19:07 61072 --a------ C:\WINDOWS\system32\drivers\klick.sys
2006-10-18 19:07 59536 --a------ C:\WINDOWS\system32\drivers\klin.sys
2006-10-18 19:00 -------- d-------- C:\Program Files\AOL
2006-10-18 18:58 -------- d---s---- C:\Documents and Settings\M.L. Layman\Application Data\Microsoft
2006-10-16 19:32 -------- d-------- C:\Program Files\America Online 9.0a
2006-10-16 19:21 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-16 19:21 -------- d-------- C:\Documents and Settings\M.L. Layman\Application Data\AOL
2006-10-16 19:20 -------- d-------- C:\Program Files\QuickTime
2006-10-16 19:20 -------- d-------- C:\Documents and Settings\M.L. Layman\Application Data\You've Got Pictures Screensaver
2006-10-16 19:19 -------- d-------- C:\Program Files\Common Files\AolCoach
2006-10-16 19:18 -------- d-------- C:\Program Files\Common Files\aolshare
2006-10-15 20:13 -------- d-------- C:\Program Files\palmOne
2006-10-15 16:43 -------- d-------- C:\Program Files\Viewpoint
2006-10-15 16:38 -------- d-------- C:\Program Files\Creative
2006-10-15 16:36 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-15 16:17 -------- d-------- C:\Program Files\Windows Defender
2006-10-15 15:32 -------- d-------- C:\Documents and Settings\M.L. Layman\Application Data\McAfee.com Personal Firewall
2006-10-15 11:36 -------- d-------- C:\Program Files\Internet Explorer
2006-10-15 09:28 -------- d-------- C:\Program Files\CleanUp!
2006-10-14 21:00 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-14 20:37 -------- d-------- C:\Program Files\Messenger
2006-10-14 20:32 -------- d-------- C:\Program Files\Windows Media Player
2006-10-14 20:32 -------- d-------- C:\Program Files\Outlook Express
2006-10-14 20:32 -------- d-------- C:\Program Files\Common Files\System
2006-10-14 19:07 -------- d-------- C:\Program Files\Microsoft Works
2006-10-14 18:22 -------- d-------- C:\Program Files\Java
2006-10-14 18:22 -------- d-------- C:\Documents and Settings\M.L. Layman\Application Data\Sun
2006-10-14 18:19 -------- d-------- C:\Program Files\Common Files\Java
2006-10-14 17:56 -------- d-------- C:\Program Files\Movie Maker
2006-10-14 17:53 -------- d-------- C:\Program Files\Windows NT
2006-10-14 17:53 -------- d-------- C:\Program Files\NetMeeting
2006-10-14 17:39 -------- d-------- C:\Program Files\Intel
2006-09-30 23:58 -------- d-------- C:\Program Files\Common Files\Services
2006-09-29 09:31 -------- d-------- C:\Program Files\America Online 9.0
2006-09-21 21:19 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-20 17:30 -------- d-------- C:\Program Files\MSXML 4.0
2006-09-18 22:34 -------- d-------- C:\Program Files\McAfee
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51 1245184 --a------ C:\WINDOWS\system32\msxml4.dll
2006-09-11 09:30 96241 --ah----- C:\Documents and Settings\M.L. Layman\Application Data\ptads.bin
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"nwiz"="nwiz.exe /install"
"MPTBox"="C:\\Program Files\\Canon\\MultiPASS4\\MPTBox.exe"
"monitr32"="C:\\Program Files\\Canon\\MultiPASS4\\monitr32.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"BCMSMMSG"="BCMSMMSG.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1161040704\\EE\\AOLHostManager.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\""
@=""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061015-095128-998
O2 - BHO: (no name) - {CB1D77E9-60F2-474B-91BF-E6DE4790EEE7} - C:\WINDOWS\System32\nmcmjda.dll (file missing)
backup-20061015-095128-981
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll (file missing)
backup-20061015-095128-917
O2 - BHO: (no name) - {F5E9E504-4EFC-0F77-9A2D-7F2C718055A4} - C:\WINDOWS\System32\rdfkkcf.dll (file missing)
backup-20061015-095128-803
O2 - BHO: (no name) - {58E46400-9DF1-DC70-C90B-F8342038AFA9} - C:\WINDOWS\System32\tnxqn.dll (file missing)
backup-20061015-095128-327
O2 - BHO: (no name) - {9DC85BF5-F250-E8D9-3BC0-C47754093BA7} - C:\WINDOWS\System32\iixzlo.dll (file missing)
backup-20061015-095128-273
O2 - BHO: (no name) - {CB560B22-FADB-E852-E22A-CF979A046DA6} - C:\WINDOWS\System32\arcwwiy.dll (file missing)
backup-20061015-095128-252
O2 - BHO: (no name) - {F8DC8A09-25A1-3877-CF18-193A10585DF5} - C:\WINDOWS\System32\btyazg.dll (file missing)
backup-20061015-095128-757
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll (file missing)
backup-20061015-095018-705
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
backup-20061015-095018-374
R3 - URLSearchHook: (no name) - {BF353A58-879A-D339-E41A-FD7A90E35BB5} - C:\WINDOWS\System32\tmjvnc.dll
backup-20061015-095018-368
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20061015-095018-239
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ML4485~1.LAY\LOCALS~1\Temp\sp.html
backup-20061015-095018-417
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
backup-20061015-095018-506
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ML4485~1.LAY\LOCALS~1\Temp\sp.html
backup-20061015-094926-123
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
backup-20061015-094926-354
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
backup-20061015-094926-699
O20 - Winlogon Notify: winvhi32 - winvhi32.dll (file missing)
backup-20061015-094925-637
O20 - Winlogon Notify: awvtu - C:\WINDOWS\System32\awvtu.dll (file missing)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-18 19:55:18.81
C:\ComboFix.txt ... 06-10-18 19:55

***End Combo Fix Log****

***AVG Anti Spyware Log***
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:29:21 PM 10/18/2006

+ Scan result:



C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Stephanie\Cookies\stephanie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : No action taken.
C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@edge.ru4[1].txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : No action taken.


::Report end

***End AVG Anti Spyware Log***

***Start About Log***
AboutBuster 6.05
Scan started on [10/18/2006] at [8:31:07 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:32:06 PM


AboutBuster 6.05
Scan started on [10/18/2006] at [8:38:04 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:39:06 PM
***End About Log***


***Start Smit Fraud***
SmitFraudFix v2.110

Scan done at 20:35:08.20, Wed 10/18/2006
Run from C:\Documents and Settings\M.L. Layman\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

***End Smit Fraud***

***Start Panda Log***

Incident Status Location

Adware:adware/powersearch Not disinfected c:\windows\system32\stlb2.xml
Adware:adware/24-7-search Not disinfected c:\windows\system32\unPPC.exe
Dialer:dialer.xd Not disinfected c:\windows\switchagreement.txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@doubleclick[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\M.L. Layman\Cookies\m.l. layman@statse.webtrendslive[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\M.L. Layman\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\M.L. Layman\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
***End Panda Log****

***Start Hijack This Log***
Logfile of HijackThis v1.99.1
Scan saved at 9:04:19 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161040704\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1160873554078
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
***End Hijack This Log***
Last edited by Darth Evader : 10-18-2006 at 06:22 PM.
Darth Evader is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-18-2006, 11:37 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 24,583
OS: 2000 Pro; XP Pro; XP Home


That looks much better, but due to a couple of factors, I can't yet be certain.

It appears as though this HJT log was taken from Safe mode. I need to see your latest log fron normal mode, please, after taking care of this next item.

Also, I see you have msconfig enabled. This may prevent us from seeing everything running on your system. Please re-enable all startup items.

Go to Start>Run type or copy/paste msconfig and then press Enter.

Select Normal Startup - Load all Device Drivers and Services

Do NOT reboot your system when prompted.


Then, run a new scan with HJT, save the log and post it.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
Our help is voluntary, but this site needs donations to operate.
Please consider Donating to the Forum.

Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-19-2006, 04:34 AM   #5 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 7
OS: XP


I've included two logs in this post...hope that doesn't mess anything up, but I thought it might save some time. Here is the log, still from SAFE MODE, but with MSCONFIG changed as you requested:

Logfile of HijackThis v1.99.1
Scan saved at 7:27:09 AM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161040704\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1160873554078
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Here is the log after booting up in normal mode, with all startup items enabled:

Logfile of HijackThis v1.99.1
Scan saved at 7:30:22 AM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\COMMON~1\AOL\116104~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\116104~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkc