Popups, mainly from adssvr and firstadsolutions

Jespin · 05-24-2006, 12:46 PM

I keep getting 2 windows randomly popping up, usually from adssvr and firstadsolutions, but occasionally from heavy.com and others. Last night while playing FFIX I had 61 windows opened over a 4 hour period. My hijack this is below.

Logfile of HijackThis v1.99.1
Scan saved at 11:43:26 AM, on 5/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\nvraidservice.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\WINDOWS\CTHELPER.EXE
D:\WINDOWS\system32\CTXFIHLP.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\sys0203371697-6.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
D:\WINDOWS\System32\wbem\unsecapp.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Documents and Settings\Tim\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,anxfeqe.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [NVRaidService] D:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [sys0203371697-6] D:\WINDOWS\sys0203371697-6.exe
O4 - HKLM\..\Run: [w7917a04.dll] RUNDLL32.EXE w7917a04.dll,I2 000dcc1d07917a04
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [newname] c:\\newname21.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [keyboard] c:\\keyboard21.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [SurfSideKick 3] D:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139343355078
O20 - Winlogon Notify: Setup - D:\WINDOWS\system32\gpjml3111.dll (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - D:\WINDOWS\alg.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

Jespin · 05-25-2006, 11:48 AM

bump.

tetonbob · 05-25-2006, 12:39 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download the file - combofix.zip
Within it, double-click on combofix.exe & follow the prompts given. Be patient.
Depending on the severity of your infection, it may reboot your machine 1-2 times.
When it's done, it shall produce a report which you should post back here.

Also post a new HJT log.

Jespin · 05-25-2006, 01:58 PM

Thanks a bunch for helping.

Here's the combo fix report:
Start Time= Thu 05/25/2006 12:51:48.14

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
= = = = = = = = = = = = = Ssk Remove's Log = = = = = = = = = = = = =
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

++++++++ PRE RUN FILES/FOLDERS ++++++++

D:\Documents and Settings\Tim\Local Settings\Temporary Internet Files\Ssk.log

++++++++ POST RUN FILES/FOLDERS ++++++++

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
= = = = = = = = = = = = = = Find3M Report = = = = = = = = = = = = = =
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

2006-05-24 01:07:30 ( .D... ) "D:\Program Files\Spybot - Search & Destroy"
2006-05-24 00:28:46 ( .D... ) "D:\Program Files\Mozilla Firefox"
2006-05-24 00:28:46 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Mozilla"
2006-05-23 13:11:14 ( .D... ) "D:\Program Files\PlayOnline"
2006-05-22 21:35:34 32,768 ( A.... ) "D:\WINDOWS\xhishnuh.exe"
2006-05-21 13:28:02 32,768 ( A.... ) "D:\WINDOWS\jhozgfmv.exe"
2006-05-21 13:22:00 32,768 ( A.... ) "D:\WINDOWS\acsylitb.exe"
2006-05-21 00:54:08 32,768 ( A.... ) "D:\WINDOWS\oukbhcvf.exe"
2006-05-21 00:45:08 32,768 ( A.... ) "D:\WINDOWS\sltsvyis.exe"
2006-05-20 12:40:52 32,768 ( A.... ) "D:\WINDOWS\xfyklmtl.exe"
2006-05-20 12:20:46 32,768 ( A.... ) "D:\WINDOWS\lbsmuyht.exe"
2006-05-18 15:57:54 183,296 ( A.S.. ) "D:\WINDOWS\NDNuninstall7_22.exe"
2006-05-18 12:36:06 32,768 ( A.... ) "D:\WINDOWS\znqjzliw.exe"
2006-05-18 12:25:18 ( .D... ) "D:\Program Files\Common Files\svchostsys"
2006-05-18 12:25:18 ( .D... ) "D:\Program Files\Common Files\simtest"
2006-05-18 12:25:18 ( .D... ) "D:\Program Files\Common Files\misc001"
2006-05-18 11:54:36 303,104 ( A.... ) "D:\WINDOWS\system32\WinNB57.dll"
2006-05-18 11:43:34 24,296 ( A.... ) "D:\WINDOWS\icont.exe"
2006-05-17 19:46:44 ( .D... ) "D:\Program Files\LD-Anime"
2006-05-17 11:23:38 579,888 ( A.... ) "D:\WINDOWS\system32\LegitCheckControl.dll"
2006-05-17 04:25:24 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Azureus"
2006-05-17 04:24:48 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Sun"
2006-05-17 04:24:08 ( .D... ) "D:\Program Files\Java"
2006-05-17 04:23:52 ( .D... ) "D:\Program Files\Common Files\Java"
2006-05-17 04:22:08 ( .D... ) "D:\Program Files\Azureus"
2006-05-14 09:32:36 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Help"
2006-05-14 09:25:48 ( .D... ) "D:\Documents and Settings\Tim\Application Data\AVG7"
2006-05-14 09:25:20 ( .D... ) "D:\Program Files\Grisoft"
2006-05-14 08:31:16 32,768 ( A.... ) "D:\WINDOWS\tmsoraia.exe"
2006-05-14 08:29:44 186,396 ( A.... ) "D:\WINDOWS\pf78ba.exe"
2006-05-14 08:29:44 174,666 ( A.... ) "D:\WINDOWS\pf78bb.exe"
2006-05-14 08:29:44 ( .D... ) "D:\Program Files\PECarlin"
2006-05-14 08:29:44 ( .D... ) "D:\Program Files\EQAdvice"
2006-05-14 08:29:26 8,464 ( A.... ) "D:\WINDOWS\system32\sporder.dll"
2006-05-14 08:29:08 2 ( A.... ) "D:\WINDOWS\system32\wapisvit.exe"
2006-05-14 08:29:08 ( .D... ) "D:\Program Files\Common Files\iwqm"
2006-05-14 08:29:04 139,264 ( A.... ) "D:\WINDOWS\sys0203371697-6.exe"
2006-05-14 08:29:00 232,749 ( A.... ) "D:\WINDOWS\pf78.exe"
2006-05-14 08:28:50 ( .D... ) "D:\Program Files\??sks"
2006-05-13 19:23:34 ( .D... ) "D:\Documents and Settings\Tim\Application Data\AdobeUM"
2006-05-08 12:47:58 139,264 ( A.... ) "D:\WINDOWS\system32\srcjowa.dll"
2006-05-07 17:04:40 ( .D... ) "D:\Program Files\Codemasters"
2006-05-05 17:42:46 871 ( A.... ) "D:\Documents and Settings\Tim\Application Data\AdobeDLM.log"
2006-05-05 17:42:46 0 ( A.... ) "D:\Documents and Settings\Tim\Application Data\dm.ini"
2006-05-05 17:42:46 ( .D... ) "D:\Program Files\Adobe"
2006-05-05 17:40:50 ( .D... ) "D:\Program Files\Common Files\Adobe"
2006-05-05 17:40:50 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Adobe"
2006-05-03 21:26:22 5,818,784 ( A.... ) "D:\WINDOWS\system32\MRT.exe"
2006-05-01 15:02:48 ( .D... ) "D:\Program Files\WinRAR"
2006-04-16 19:33:34 43,520 ( A.... ) "D:\WINDOWS\system32\CmdLineExt03.dll"
2006-04-16 19:31:34 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Leadertech"
2006-04-16 19:23:36 ( .D... ) "D:\Program Files\Firaxis Games"
2006-04-16 19:17:22 ( .D... ) "D:\Program Files\CyberLink"
2006-04-10 22:25:52 233,472 ( A.... ) "D:\WINDOWS\system32\wrap_oal.dll"
2006-04-10 22:25:52 81,920 ( A.... ) "D:\WINDOWS\system32\OpenAL32.dll"
2006-04-10 22:25:38 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Creative"
2006-04-10 22:23:00 ( .D... ) "D:\Program Files\Creative"
2006-04-10 13:00:30 144,688 ( ..... ) "D:\WINDOWS\system32\WgaLogon.dll"
2006-04-10 13:00:28 186,672 ( ..... ) "D:\WINDOWS\system32\WgaTray.exe"
2006-04-10 12:36:16 8,632 ( ..... ) "D:\WINDOWS\system32\spmsg.dll"
2006-04-05 00:00:16 ( .D... ) "D:\Documents and Settings\Tim\Application Data\acccore"
2006-04-04 23:59:44 ( .D... ) "D:\Program Files\Viewpoint"
2006-04-04 23:59:44 ( .D... ) "D:\Program Files\AOD"
2006-04-04 23:59:38 ( .D... ) "D:\Program Files\Common Files\Nullsoft"
2006-04-04 23:59:26 ( .D... ) "D:\Program Files\Common Files\AOL"
2006-04-04 23:59:16 ( .D... ) "D:\Program Files\AOL"
2006-03-30 02:16:04 1,492,480 ( A.... ) "D:\WINDOWS\system32\shdocvw.dll"
2006-03-29 18:00:14 16,384 ( A.... ) "D:\WINDOWS\system32\xpsp3res.dll"
2006-03-25 20:45:30 ( .D... ) "D:\Program Files\Bethesda Softworks"
2006-03-23 13:32:42 3,053,568 ( A.... ) "D:\WINDOWS\system32\mshtml.dll"
2006-03-18 04:09:38 613,376 ( A.... ) "D:\WINDOWS\system32\urlmon.dll"
2006-03-17 02:07:18 679,424 ( A.... ) "D:\WINDOWS\system32\inetcomm.dll"
2006-03-16 21:03:54 8,452,096 ( A.... ) "D:\WINDOWS\system32\shell32.dll"
2006-03-16 17:38:02 28,672 ( ..... ) "D:\WINDOWS\system32\verclsid.exe"
2006-03-10 06:09:14 5,533,696 ( A.... ) "D:\WINDOWS\system32\wmp.dll"
2006-03-09 17:59:32 180,224 ( A.... ) "D:\WINDOWS\system32\NVUNINST.EXE"
2006-03-09 15:29:00 7,561,216 ( A.... ) "D:\WINDOWS\system32\nvcpl.dll"
2006-03-09 15:29:00 5,419,008 ( A.... ) "D:\WINDOWS\system32\nvoglnt.dll"
2006-03-09 15:29:00 3,968,512 ( A.... ) "D:\WINDOWS\system32\nv4_disp.dll"
2006-03-09 15:29:00 1,662,976 ( A.... ) "D:\WINDOWS\system32\nvwdmcpl.dll"
2006-03-09 15:29:00 1,519,616 ( A.... ) "D:\WINDOWS\system32\nwiz.exe"
2006-03-09 15:29:00 1,466,368 ( A.... ) "D:\WINDOWS\system32\nview.dll"
2006-03-09 15:29:00 1,339,392 ( A.... ) "D:\WINDOWS\system32\nvdspsch.exe"
2006-03-09 15:29:00 1,019,904 ( A.... ) "D:\WINDOWS\system32\nvwimg.dll"
2006-03-09 15:29:00 573,440 ( A.... ) "D:\WINDOWS\system32\nvhwvid.dll"
2006-03-09 15:29:00 466,944 ( A.... ) "D:\WINDOWS\system32\nvshell.dll"
2006-03-09 15:29:00 442,368 ( A.... ) "D:\WINDOWS\system32\nvappbar.exe"
2006-03-09 15:29:00 425,984 ( A.... ) "D:\WINDOWS\system32\keystone.exe"
2006-03-09 15:29:00 286,720 ( A.... ) "D:\WINDOWS\system32\nvnt4cpl.dll"
2006-03-09 15:29:00 229,376 ( A.... ) "D:\WINDOWS\system32\nvmccs.dll"
2006-03-09 15:29:00 180,224 ( A.... ) "D:\WINDOWS\system32\nvudisp.exe"
2006-03-09 15:29:00 147,456 ( A.... ) "D:\WINDOWS\system32\nvcolor.exe"
2006-03-09 15:29:00 143,436 ( A.... ) "D:\WINDOWS\system32\nvsvc32.exe"
2006-03-09 15:29:00 98,304 ( A.... ) "D:\WINDOWS\system32\nvapi.dll"
2006-03-09 15:29:00 86,016 ( A.... ) "D:\WINDOWS\system32\nvmctray.dll"
2006-03-09 15:29:00 81,920 ( A.... ) "D:\WINDOWS\system32\nvwddi.dll"
2006-03-09 15:29:00 45,056 ( A.... ) "D:\WINDOWS\system32\nvmccsrs.dll"
2006-03-09 15:29:00 35,840 ( A.... ) "D:\WINDOWS\system32\nvcodins.dll"
2006-03-09 15:29:00 35,840 ( A.... ) "D:\WINDOWS\system32\nvcod.dll"
2006-03-03 20:33:46 658,432 ( A.... ) "D:\WINDOWS\system32\wininet.dll"
2006-03-03 20:33:44 532,480 ( A.... ) "D:\WINDOWS\system32\mstime.dll"
2006-03-03 20:33:44 474,112 ( A.... ) "D:\WINDOWS\system32\shlwapi.dll"
2006-03-03 20:33:44 448,512 ( A.... ) "D:\WINDOWS\system32\mshtmled.dll"
2006-03-03 20:33:44 146,432 ( A.... ) "D:\WINDOWS\system32\msrating.dll"
2006-03-03 20:33:44 39,424 ( A.... ) "D:\WINDOWS\system32\pngfilt.dll"
2006-03-03 20:33:42 1,054,208 ( A.... ) "D:\WINDOWS\system32\danim.dll"
2006-03-03 20:33:42 251,392 ( A.... ) "D:\WINDOWS\system32\iepeers.dll"
2006-03-03 20:33:42 205,312 ( A.... ) "D:\WINDOWS\system32\dxtrans.dll"
2006-03-03 20:33:42 96,256 ( A.... ) "D:\WINDOWS\system32\inseng.dll"
2006-03-03 20:33:42 55,808 ( ..... ) "D:\WINDOWS\system32\extmgr.dll"
2006-03-03 20:33:40 1,022,976 ( A.... ) "D:\WINDOWS\system32\browseui.dll"
2006-03-03 20:33:40 151,040 ( A.... ) "D:\WINDOWS\system32\cdfview.dll"
2006-03-01 12:42:42 956,416 ( A.... ) "D:\WINDOWS\system32\msdtctm.dll"
2006-03-01 12:42:42 426,496 ( A.... ) "D:\WINDOWS\system32\msdtcprx.dll"
2006-03-01 12:42:42 161,280 ( A.... ) "D:\WINDOWS\system32\msdtcuiu.dll"
2006-03-01 12:42:42 91,136 ( A.... ) "D:\WINDOWS\system32\mtxoci.dll"
2006-03-01 12:42:42 66,560 ( A.... ) "D:\WINDOWS\system32\mtxclu.dll"
2006-03-01 12:42:42 11,776 ( A.... ) "D:\WINDOWS\system32\xolehlp.dll"

ComboFix ver 06.05.16
Completion time: Thu 05/25/2006 12:55:15.48
This logfile is located at D:\COMBOFIX.txt

Jespin · 05-25-2006, 02:00 PM

And here's the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:58:42 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\nvraidservice.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\WINDOWS\CTHELPER.EXE
D:\WINDOWS\system32\CTXFIHLP.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\sys0203371697-6.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Messenger\MSMSGS.EXE
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\wbem\unsecapp.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Tim\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,anxfeqe.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [NVRaidService] D:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [sys0203371697-6] D:\WINDOWS\sys0203371697-6.exe
O4 - HKLM\..\Run: [w7917a04.dll] RUNDLL32.EXE w7917a04.dll,I2 000dcc1d07917a04
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [newname] c:\\newname21.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [keyboard] c:\\keyboard21.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139343355078
O20 - Winlogon Notify: Setup - D:\WINDOWS\system32\gpjml3111.dll (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - D:\WINDOWS\alg.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

tetonbob · 05-25-2006, 06:31 PM

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Launch Notepad, and copy/paste the box below into a new text file. Save it as "FindFile.bat" (include the quotes) and save it on your Desktop.

Code:

dir "D:\Program Files\??sks" > /a h > files.txt 
notepad files.txt

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.

---------------------------------------------------------------------------------------------

Please download Ewido Anti-Malware

Install ewido anti-malware
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

NewDotNet
Viewpoint Manager

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click [b]Fix Checked:

F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,anxfeqe. exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sys0203371697-6] D:\WINDOWS\sys0203371697-6.exe
O4 - HKLM\..\Run: [w7917a04.dll] RUNDLL32.EXE w7917a04.dll,I2 000dcc1d07917a04
O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - Winlogon Notify: Setup - D:\WINDOWS\system32\gpjml3111.dll (file missing)

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following Files/Folders if they exist:

D:\WINDOWS\system32\anxfeqe. exe
D:\WINDOWS\xhishnuh.exe
D:\WINDOWS\jhozgfmv.exe
D:\WINDOWS\acsylitb.exe
D:\WINDOWS\oukbhcvf.exe
D:\WINDOWS\sltsvyis.exe
D:\WINDOWS\xfyklmtl.exe
D:\WINDOWS\lbsmuyht.exe
D:\Program Files\Viewpoint
D:\Program Files\NewDotNet
w7917a04.dll<<<Find via Start>Search
D:\WINDOWS\NDNuninstall7_22.exe
D:\WINDOWS\znqjzliw.exe
D:\WINDOWS\system32\WinNB57.dll
D:\WINDOWS\icont.exe
D:\WINDOWS\pf78ba.exe
D:\WINDOWS\pf78bb.exe
D:\Program Files\PECarlin
D:\WINDOWS\system32\wapisvit.exe
D:\WINDOWS\sys0203371697-6.exe
D:\WINDOWS\pf78.exe

---------------------------------------------------------------------------------------------

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Open Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Beside the scriptline to execute field click the folder icon and select alcanshorty.bfu by double clicking on it.
Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

findfiles
Ewido
Panda
HJT

Jespin · 05-25-2006, 11:41 PM

I've done everything you said but I was unable to remove D:\WINDOWS\system32\wapisvit.exe because it was in use.

Volume in drive D has no label.
Volume Serial Number is FCCE-C47B

Directory of D:\Program Files

05/14/2006 08:28 AM <DIR> ??sks
0 File(s) 0 bytes

Directory of D:\Documents and Settings\Tim\Desktop

Directory of D:\Documents and Settings\Tim\Desktop

Directory of D:\Documents and Settings\Tim\Desktop

05/25/2006 05:48 PM 0 files.txt
1 File(s) 0 bytes
0 Dir(s) 30,339,117,056 bytes free

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:50:55 PM, 5/25/2006
+ Report-Checksum: 3EC90B7D

+ Scan result:

D:\Documents and Settings\LocalService\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned with backup
D:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
D:\Program Files\EQAdvice\EQAdvice.exe -> Adware.CASClient : Cleaned with backup
D:\Program Files\Таsks\SKS~1\!update-3820.0000 -> Downloader.PurityScan.cl : Cleaned with backup
D:\Program Files\Таsks\spoolsv.exe -> Downloader.PurityScan.cl : Cleaned with backup
D:\WINDOWS\876056.exe -> Adware.Mirar : Cleaned with backup
D:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup
D:\WINDOWS\system32\srcjowa.dll -> Adware.PurityScan : Cleaned with backup
D:\WINDOWS\system32\ѕymbols\wυauclt.exe -> Adware.PurityScan : Cleaned with backup

::Report End

Incident Status Location

Adware:adware/commad Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[NudeBox.class]
Virus:Trj/ClassLoader.P Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[VerifierBug.class]
Virus:Trj/Ranky.LG Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[javautil.zip]
Virus:Trj/Clicker.QE Disinfected D:\Program Files\Common Files\simtest\sysstall.exe
Adware:Adware/CommAd Not disinfected D:\WINDOWS\dGlt\x35Q.vbs

Jespin · 05-25-2006, 11:44 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:33:38 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\nvraidservice.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe
D:\WINDOWS\CTHELPER.EXE
D:\WINDOWS\system32\CTXFIHLP.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
D:\WINDOWS\System32\wbem\unsecapp.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Documents and Settings\Tim\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [NVRaidService] D:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139343355078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - D:\WINDOWS\alg.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

tetonbob · 05-26-2006, 08:12 AM

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

@echo off
sc config start= disabled AppLayerGatewayMgr
sc stop AppLayerGatewayMgr
sc delete AppLayerGatewayMgr
exit

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

---------------------------------------------------------------------------------

Double click on HijackThis.exe to run it.
Click on Open the Misc Tools section
click the button labelled "Delete A File on Reboot..."
In the dialogue that shows up, enter the path (type, or copy and paste) of the file in "file name:" field D:\WINDOWS\system32\wapisvit.exe
When you have selected the file, Click the "Open" Button
Click Click No at the next prompt
Do that for the following files also.

D:\WINDOWS\alg.exe
When you get to the last one, click Yes when HJT asks you to reboot.

---------------------------------------------------------------------------------

Delete these folders:

D:\WINDOWS\dGlt
D:\Program Files\??sks<<<Appears to be Tasks, created on 05/14/2006 08:28 AM Right click on the folder, and select Properties to be sure

If they resist deletion, boot to safe mode and delete from there.

---------------------------------------------------------------------------------

See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- Downloaded Applets
  Downloaded Applications
  Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

How is your system behaving, please?

Jespin · 05-26-2006, 07:23 PM

I haven't done the steps above yet, but my system is behaving fine so far. No more pop-ups.

tetonbob · 05-26-2006, 07:33 PM

That's encouraging, Jespin.

Please be sure to complete all the steps and post the new logs to ensure we've gotten all the nasties.

Jespin · 05-26-2006, 08:58 PM

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, May 26, 2006 7:57:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 27/05/2006
Kaspersky Anti-Virus database records: 196609
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 80278
Number of viruses found: 23
Number of infected objects: 71
Number of suspicious objects: 0
Duration of the scan process: 01:07:26

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026099.pif Infected: Trojan-Downloader.Win32.Adload.bm skipped
C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026103.exe Infected: Trojan-Downloader.Win32.Adload.bm skipped
C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026105.pif Infected: Trojan-Downloader.Win32.Adload.bm skipped
C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026109.pif Infected: Trojan-Downloader.Win32.Adload.bm skipped
C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026110.exe Infected: Trojan-Downloader.Win32.Adload.bm skipped
C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026112.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026590.exe Infected: not-a-virus:AdWare.Win32.SmartLoad.c skipped
C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026598.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\Program Files\BitTorrent\uninstall.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\Program Files\BitTorrent\uninstall.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\Program Files\BitTorrent\uninstall.exe NSIS: infected - 2 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026008.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026010.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026014.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026084.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026085.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026086.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026089.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ao skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe CAB: infected - 5 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026295.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026296.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026297.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ao skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026301.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026312.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026324.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026325.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011 Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002 Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe NSIS: infected - 8 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026331.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026332.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP200\A0026481.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP200\A0026483.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP200\A0026484.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026585.exe Infected: Trojan-Downloader.Win32.VB.nw skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026608.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026610.dll Infected: not-a-virus:AdWare.Win32.Mirar.b skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026611.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026612.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.k skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026612.exe NSIS: infected - 1 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026613.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.l skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026613.exe NSIS: infected - 1 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026614.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026615.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026615.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026615.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026615.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026615.exe NSIS: infected - 4 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026639.exe Infected: not-a-virus:AdWare.Win32.CASClient.l skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe RarSFX: infected - 6 skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026643.exe Infected: not-a-virus:AdWare.Win32.CASClient.k skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026645.exe Infected: not-a-virus:AdWare.Win32.Mirar.d skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026646.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026647.exe Infected: not-a-virus:AdWare.Win32.PurityScan.dv skipped

Scan process completed.

Jespin · 05-26-2006, 08:59 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:58:58 PM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\nvraidservice.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe
D:\WINDOWS\CTHELPER.EXE
D:\WINDOWS\system32\CTXFIHLP.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
D:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\WINDOWS\System32\wbem\unsecapp.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Documents and Settings\Tim\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [NVRaidService] D:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139343355078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

tetonbob · 05-26-2006, 09:33 PM

Good job.

My favorite part now....

Those Kaspersky finds are in System Restore and will be removed when we flush the old Restore Points and create a new clean one shortly.

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Please ensure that you have already patched your system against the recent WMF exploit.
Go to this page to get the KB912919 patch.

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
SpywareGuard to catch and block spyware before it can execute.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software
IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- Download IE-SpyAD - Extract the contents to a new folder
  From within the folder, double-click install.bat
  Select Option #2 - Install the new IE-SPYAD list.
  Then return to the main menu.
  Select option #4 - Add the old porn sites domain
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online antivirus scanners:

Anti-Spyware Tutorial

Here are two very good free Antivirus products which are available:
Avast!
AVG

If you do not have a firewall, here are 4 free ones available for personal use:

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Jespin · 05-27-2006, 08:10 AM

Thank you so much for everything you've done.

05-24-2006, 12:46 PM	#1 (permalink)
Jespin Registered User Join Date: May 2006 Posts: 10 OS: WinXP	Popups, mainly from adssvr and firstadsolutions I keep getting 2 windows randomly popping up, usually from adssvr and firstadsolutions, but occasionally from heavy.com and others. Last night while playing FFIX I had 61 windows opened over a 4 hour period. My hijack this is below. Logfile of HijackThis v1.99.1 Scan saved at 11:43:26 AM, on 5/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe D:\WINDOWS\system32\CTsvcCDA.EXE D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\System32\nvraidservice.exe D:\WINDOWS\system32\RUNDLL32.EXE D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe D:\WINDOWS\CTHELPER.EXE D:\WINDOWS\system32\CTXFIHLP.EXE D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe D:\WINDOWS\sys0203371697-6.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\WINDOWS\SYSTEM32\CTXFISPI.EXE D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe D:\WINDOWS\System32\wbem\unsecapp.exe D:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\Documents and Settings\Tim\Desktop\HijackThis.exe F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,anxfeqe.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O4 - HKLM\..\Run: [NVRaidService] D:\WINDOWS\System32\nvraidservice.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [sys0203371697-6] D:\WINDOWS\sys0203371697-6.exe O4 - HKLM\..\Run: [w7917a04.dll] RUNDLL32.EXE w7917a04.dll,I2 000dcc1d07917a04 O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [newname] c:\\newname21.exe O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s O4 - HKLM\..\Run: [keyboard] c:\\keyboard21.exe O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [Aim6] "D:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [Creative MediaSource Go] "D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB O4 - HKCU\..\Run: [SurfSideKick 3] D:\Program Files\SurfSideKick 3\Ssk.exe O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139343355078 O20 - Winlogon Notify: Setup - D:\WINDOWS\system32\gpjml3111.dll (file missing) O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - D:\WINDOWS\alg.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

05-25-2006, 12:39 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download the file - combofix.zip Within it, double-click on combofix.exe & follow the prompts given. Be patient. Depending on the severity of your infection, it may reboot your machine 1-2 times. When it's done, it shall produce a report which you should post back here. Also post a new HJT log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-25-2006, 06:31 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Launch Notepad, and copy/paste the box below into a new text file. Save it as "FindFile.bat" (include the quotes) and save it on your Desktop. Code: dir "D:\Program Files\??sks" > /a h > files.txt notepad files.txt Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here. --------------------------------------------------------------------------------------------- Please download Ewido Anti-Malware Install ewido anti-malware When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido The program will now open to the main screen. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. You will need to update ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display ("Update successful") Exit Ewido, do not run the scan yet! If you are having problems with the updater, you can use this link to manually update ewido. ewido manual updates Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Do not do anything with these yet! Download and install CleanUp! NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe --------------------------------------------------------------------------------------------- Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: NewDotNet Viewpoint Manager --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click [b]Fix Checked: F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,anxfeqe. exe O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [sys0203371697-6] D:\WINDOWS\sys0203371697-6.exe O4 - HKLM\..\Run: [w7917a04.dll] RUNDLL32.EXE w7917a04.dll,I2 000dcc1d07917a04 O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O20 - Winlogon Notify: Setup - D:\WINDOWS\system32\gpjml3111.dll (file missing) --------------------------------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following Files/Folders if they exist: D:\WINDOWS\system32\anxfeqe. exe D:\WINDOWS\xhishnuh.exe D:\WINDOWS\jhozgfmv.exe D:\WINDOWS\acsylitb.exe D:\WINDOWS\oukbhcvf.exe D:\WINDOWS\sltsvyis.exe D:\WINDOWS\xfyklmtl.exe D:\WINDOWS\lbsmuyht.exe D:\Program Files\Viewpoint D:\Program Files\NewDotNet w7917a04.dll<<<Find via Start>Search D:\WINDOWS\NDNuninstall7_22.exe D:\WINDOWS\znqjzliw.exe D:\WINDOWS\system32\WinNB57.dll D:\WINDOWS\icont.exe D:\WINDOWS\pf78ba.exe D:\WINDOWS\pf78bb.exe D:\Program Files\PECarlin D:\WINDOWS\system32\wapisvit.exe D:\WINDOWS\sys0203371697-6.exe D:\WINDOWS\pf78.exe --------------------------------------------------------------------------------------------- Run Cleanup! using the following configuration: Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted. * CleanUp! will not create any backups!! --------------------------------------------------------------------------------------------- Open Ewido: Click on scanner Click on Complete System Scan and the scan will begin. You will be prompted to clean the first infection. Select "Perform action on all infections", then proceed. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop or a location where you can find it easily. Close ewido anti-malware. Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Beside the scriptline to execute field click the folder icon and select alcanshorty.bfu by double clicking on it. Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot into normal windows. --------------------------------------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with results from: findfiles Ewido Panda HJT __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 05-25-2006 at 06:34 PM.

05-26-2006, 08:12 AM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad: @echo off sc config start= disabled AppLayerGatewayMgr sc stop AppLayerGatewayMgr sc delete AppLayerGatewayMgr exit Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it. --------------------------------------------------------------------------------- Double click on HijackThis.exe to run it. Click on Open the Misc Tools section click the button labelled "Delete A File on Reboot..." In the dialogue that shows up, enter the path (type, or copy and paste) of the file in "file name:" field D:\WINDOWS\system32\wapisvit.exe When you have selected the file, Click the "Open" Button Click Click No at the next prompt Do that for the following files also. D:\WINDOWS\alg.exe When you get to the last one, click Yes when HJT asks you to reboot. --------------------------------------------------------------------------------- Delete these folders: D:\WINDOWS\dGlt D:\Program Files\??sks<<<Appears to be Tasks, created on 05/14/2006 08:28 AM Right click on the folder, and select Properties to be sure If they resist deletion, boot to safe mode and delete from there. --------------------------------------------------------------------------------- See this page for instructions on how to clear java's cache. Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------- Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- How is your system behaving, please? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-26-2006, 07:33 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	That's encouraging, Jespin. Please be sure to complete all the steps and post the new logs to ensure we've gotten all the nasties. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-25-2006, 11:48 AM	#2 (permalink)
Jespin Registered User Join Date: May 2006 Posts: 10 OS: WinXP	bump.

05-25-2006, 01:58 PM	#4 (permalink)
Jespin Registered User Join Date: May 2006 Posts: 10 OS: WinXP	Thanks a bunch for helping. Here's the combo fix report: Start Time= Thu 05/25/2006 12:51:48.14 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ = = = = = = = = = = = = = Ssk Remove's Log = = = = = = = = = = = = = @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ++++++++ PRE RUN FILES/FOLDERS ++++++++ D:\Documents and Settings\Tim\Local Settings\Temporary Internet Files\Ssk.log ++++++++ POST RUN FILES/FOLDERS ++++++++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ = = = = = = = = = = = = = = Find3M Report = = = = = = = = = = = = = = @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 2006-05-24 01:07:30 ( .D... ) "D:\Program Files\Spybot - Search & Destroy" 2006-05-24 00:28:46 ( .D... ) "D:\Program Files\Mozilla Firefox" 2006-05-24 00:28:46 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Mozilla" 2006-05-23 13:11:14 ( .D... ) "D:\Program Files\PlayOnline" 2006-05-22 21:35:34 32,768 ( A.... ) "D:\WINDOWS\xhishnuh.exe" 2006-05-21 13:28:02 32,768 ( A.... ) "D:\WINDOWS\jhozgfmv.exe" 2006-05-21 13:22:00 32,768 ( A.... ) "D:\WINDOWS\acsylitb.exe" 2006-05-21 00:54:08 32,768 ( A.... ) "D:\WINDOWS\oukbhcvf.exe" 2006-05-21 00:45:08 32,768 ( A.... ) "D:\WINDOWS\sltsvyis.exe" 2006-05-20 12:40:52 32,768 ( A.... ) "D:\WINDOWS\xfyklmtl.exe" 2006-05-20 12:20:46 32,768 ( A.... ) "D:\WINDOWS\lbsmuyht.exe" 2006-05-18 15:57:54 183,296 ( A.S.. ) "D:\WINDOWS\NDNuninstall7_22.exe" 2006-05-18 12:36:06 32,768 ( A.... ) "D:\WINDOWS\znqjzliw.exe" 2006-05-18 12:25:18 ( .D... ) "D:\Program Files\Common Files\svchostsys" 2006-05-18 12:25:18 ( .D... ) "D:\Program Files\Common Files\simtest" 2006-05-18 12:25:18 ( .D... ) "D:\Program Files\Common Files\misc001" 2006-05-18 11:54:36 303,104 ( A.... ) "D:\WINDOWS\system32\WinNB57.dll" 2006-05-18 11:43:34 24,296 ( A.... ) "D:\WINDOWS\icont.exe" 2006-05-17 19:46:44 ( .D... ) "D:\Program Files\LD-Anime" 2006-05-17 11:23:38 579,888 ( A.... ) "D:\WINDOWS\system32\LegitCheckControl.dll" 2006-05-17 04:25:24 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Azureus" 2006-05-17 04:24:48 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Sun" 2006-05-17 04:24:08 ( .D... ) "D:\Program Files\Java" 2006-05-17 04:23:52 ( .D... ) "D:\Program Files\Common Files\Java" 2006-05-17 04:22:08 ( .D... ) "D:\Program Files\Azureus" 2006-05-14 09:32:36 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Help" 2006-05-14 09:25:48 ( .D... ) "D:\Documents and Settings\Tim\Application Data\AVG7" 2006-05-14 09:25:20 ( .D... ) "D:\Program Files\Grisoft" 2006-05-14 08:31:16 32,768 ( A.... ) "D:\WINDOWS\tmsoraia.exe" 2006-05-14 08:29:44 186,396 ( A.... ) "D:\WINDOWS\pf78ba.exe" 2006-05-14 08:29:44 174,666 ( A.... ) "D:\WINDOWS\pf78bb.exe" 2006-05-14 08:29:44 ( .D... ) "D:\Program Files\PECarlin" 2006-05-14 08:29:44 ( .D... ) "D:\Program Files\EQAdvice" 2006-05-14 08:29:26 8,464 ( A.... ) "D:\WINDOWS\system32\sporder.dll" 2006-05-14 08:29:08 2 ( A.... ) "D:\WINDOWS\system32\wapisvit.exe" 2006-05-14 08:29:08 ( .D... ) "D:\Program Files\Common Files\iwqm" 2006-05-14 08:29:04 139,264 ( A.... ) "D:\WINDOWS\sys0203371697-6.exe" 2006-05-14 08:29:00 232,749 ( A.... ) "D:\WINDOWS\pf78.exe" 2006-05-14 08:28:50 ( .D... ) "D:\Program Files\??sks" 2006-05-13 19:23:34 ( .D... ) "D:\Documents and Settings\Tim\Application Data\AdobeUM" 2006-05-08 12:47:58 139,264 ( A.... ) "D:\WINDOWS\system32\srcjowa.dll" 2006-05-07 17:04:40 ( .D... ) "D:\Program Files\Codemasters" 2006-05-05 17:42:46 871 ( A.... ) "D:\Documents and Settings\Tim\Application Data\AdobeDLM.log" 2006-05-05 17:42:46 0 ( A.... ) "D:\Documents and Settings\Tim\Application Data\dm.ini" 2006-05-05 17:42:46 ( .D... ) "D:\Program Files\Adobe" 2006-05-05 17:40:50 ( .D... ) "D:\Program Files\Common Files\Adobe" 2006-05-05 17:40:50 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Adobe" 2006-05-03 21:26:22 5,818,784 ( A.... ) "D:\WINDOWS\system32\MRT.exe" 2006-05-01 15:02:48 ( .D... ) "D:\Program Files\WinRAR" 2006-04-16 19:33:34 43,520 ( A.... ) "D:\WINDOWS\system32\CmdLineExt03.dll" 2006-04-16 19:31:34 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Leadertech" 2006-04-16 19:23:36 ( .D... ) "D:\Program Files\Firaxis Games" 2006-04-16 19:17:22 ( .D... ) "D:\Program Files\CyberLink" 2006-04-10 22:25:52 233,472 ( A.... ) "D:\WINDOWS\system32\wrap_oal.dll" 2006-04-10 22:25:52 81,920 ( A.... ) "D:\WINDOWS\system32\OpenAL32.dll" 2006-04-10 22:25:38 ( .D... ) "D:\Documents and Settings\Tim\Application Data\Creative" 2006-04-10 22:23:00 ( .D... ) "D:\Program Files\Creative" 2006-04-10 13:00:30 144,688 ( ..... ) "D:\WINDOWS\system32\WgaLogon.dll" 2006-04-10 13:00:28 186,672 ( ..... ) "D:\WINDOWS\system32\WgaTray.exe" 2006-04-10 12:36:16 8,632 ( ..... ) "D:\WINDOWS\system32\spmsg.dll" 2006-04-05 00:00:16 ( .D... ) "D:\Documents and Settings\Tim\Application Data\acccore" 2006-04-04 23:59:44 ( .D... ) "D:\Program Files\Viewpoint" 2006-04-04 23:59:44 ( .D... ) "D:\Program Files\AOD" 2006-04-04 23:59:38 ( .D... ) "D:\Program Files\Common Files\Nullsoft" 2006-04-04 23:59:26 ( .D... ) "D:\Program Files\Common Files\AOL" 2006-04-04 23:59:16 ( .D... ) "D:\Program Files\AOL" 2006-03-30 02:16:04 1,492,480 ( A.... ) "D:\WINDOWS\system32\shdocvw.dll" 2006-03-29 18:00:14 16,384 ( A.... ) "D:\WINDOWS\system32\xpsp3res.dll" 2006-03-25 20:45:30 ( .D... ) "D:\Program Files\Bethesda Softworks" 2006-03-23 13:32:42 3,053,568 ( A.... ) "D:\WINDOWS\system32\mshtml.dll" 2006-03-18 04:09:38 613,376 ( A.... ) "D:\WINDOWS\system32\urlmon.dll" 2006-03-17 02:07:18 679,424 ( A.... ) "D:\WINDOWS\system32\inetcomm.dll" 2006-03-16 21:03:54 8,452,096 ( A.... ) "D:\WINDOWS\system32\shell32.dll" 2006-03-16 17:38:02 28,672 ( ..... ) "D:\WINDOWS\system32\verclsid.exe" 2006-03-10 06:09:14 5,533,696 ( A.... ) "D:\WINDOWS\system32\wmp.dll" 2006-03-09 17:59:32 180,224 ( A.... ) "D:\WINDOWS\system32\NVUNINST.EXE" 2006-03-09 15:29:00 7,561,216 ( A.... ) "D:\WINDOWS\system32\nvcpl.dll" 2006-03-09 15:29:00 5,419,008 ( A.... ) "D:\WINDOWS\system32\nvoglnt.dll" 2006-03-09 15:29:00 3,968,512 ( A.... ) "D:\WINDOWS\system32\nv4_disp.dll" 2006-03-09 15:29:00 1,662,976 ( A.... ) "D:\WINDOWS\system32\nvwdmcpl.dll" 2006-03-09 15:29:00 1,519,616 ( A.... ) "D:\WINDOWS\system32\nwiz.exe" 2006-03-09 15:29:00 1,466,368 ( A.... ) "D:\WINDOWS\system32\nview.dll" 2006-03-09 15:29:00 1,339,392 ( A.... ) "D:\WINDOWS\system32\nvdspsch.exe" 2006-03-09 15:29:00 1,019,904 ( A.... ) "D:\WINDOWS\system32\nvwimg.dll" 2006-03-09 15:29:00 573,440 ( A.... ) "D:\WINDOWS\system32\nvhwvid.dll" 2006-03-09 15:29:00 466,944 ( A.... ) "D:\WINDOWS\system32\nvshell.dll" 2006-03-09 15:29:00 442,368 ( A.... ) "D:\WINDOWS\system32\nvappbar.exe" 2006-03-09 15:29:00 425,984 ( A.... ) "D:\WINDOWS\system32\keystone.exe" 2006-03-09 15:29:00 286,720 ( A.... ) "D:\WINDOWS\system32\nvnt4cpl.dll" 2006-03-09 15:29:00 229,376 ( A.... ) "D:\WINDOWS\system32\nvmccs.dll" 2006-03-09 15:29:00 180,224 ( A.... ) "D:\WINDOWS\system32\nvudisp.exe" 2006-03-09 15:29:00 147,456 ( A.... ) "D:\WINDOWS\system32\nvcolor.exe" 2006-03-09 15:29:00 143,436 ( A.... ) "D:\WINDOWS\system32\nvsvc32.exe" 2006-03-09 15:29:00 98,304 ( A.... ) "D:\WINDOWS\system32\nvapi.dll" 2006-03-09 15:29:00 86,016 ( A.... ) "D:\WINDOWS\system32\nvmctray.dll" 2006-03-09 15:29:00 81,920 ( A.... ) "D:\WINDOWS\system32\nvwddi.dll" 2006-03-09 15:29:00 45,056 ( A.... ) "D:\WINDOWS\system32\nvmccsrs.dll" 2006-03-09 15:29:00 35,840 ( A.... ) "D:\WINDOWS\system32\nvcodins.dll" 2006-03-09 15:29:00 35,840 ( A.... ) "D:\WINDOWS\system32\nvcod.dll" 2006-03-03 20:33:46 658,432 ( A.... ) "D:\WINDOWS\system32\wininet.dll" 2006-03-03 20:33:44 532,480 ( A.... ) "D:\WINDOWS\system32\mstime.dll" 2006-03-03 20:33:44 474,112 ( A.... ) "D:\WINDOWS\system32\shlwapi.dll" 2006-03-03 20:33:44 448,512 ( A.... ) "D:\WINDOWS\system32\mshtmled.dll" 2006-03-03 20:33:44 146,432 ( A.... ) "D:\WINDOWS\system32\msrating.dll" 2006-03-03 20:33:44 39,424 ( A.... ) "D:\WINDOWS\system32\pngfilt.dll" 2006-03-03 20:33:42 1,054,208 ( A.... ) "D:\WINDOWS\system32\danim.dll" 2006-03-03 20:33:42 251,392 ( A.... ) "D:\WINDOWS\system32\iepeers.dll" 2006-03-03 20:33:42 205,312 ( A.... ) "D:\WINDOWS\system32\dxtrans.dll" 2006-03-03 20:33:42 96,256 ( A.... ) "D:\WINDOWS\system32\inseng.dll" 2006-03-03 20:33:42 55,808 ( ..... ) "D:\WINDOWS\system32\extmgr.dll" 2006-03-03 20:33:40 1,022,976 ( A.... ) "D:\WINDOWS\system32\browseui.dll" 2006-03-03 20:33:40 151,040 ( A.... ) "D:\WINDOWS\system32\cdfview.dll" 2006-03-01 12:42:42 956,416 ( A.... ) "D:\WINDOWS\system32\msdtctm.dll" 2006-03-01 12:42:42 426,496 ( A.... ) "D:\WINDOWS\system32\msdtcprx.dll" 2006-03-01 12:42:42 161,280 ( A.... ) "D:\WINDOWS\system32\msdtcuiu.dll" 2006-03-01 12:42:42 91,136 ( A.... ) "D:\WINDOWS\system32\mtxoci.dll" 2006-03-01 12:42:42 66,560 ( A.... ) "D:\WINDOWS\system32\mtxclu.dll" 2006-03-01 12:42:42 11,776 ( A.... ) "D:\WINDOWS\system32\xolehlp.dll" ComboFix ver 06.05.16 Completion time: Thu 05/25/2006 12:55:15.48 This logfile is located at D:\COMBOFIX.txt

05-25-2006, 02:00 PM	#5 (permalink)
Jespin Registered User Join Date: May 2006 Posts: 10 OS: WinXP	And here's the new hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 12:58:42 PM, on 5/25/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\System32\nvraidservice.exe D:\WINDOWS\system32\RUNDLL32.EXE D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe D:\WINDOWS\CTHELPER.EXE D:\WINDOWS\system32\CTXFIHLP.EXE D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe D:\WINDOWS\sys0203371697-6.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\Program Files\Messenger\MSMSGS.EXE D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe D:\WINDOWS\SYSTEM32\CTXFISPI.EXE D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe D:\WINDOWS\system32\CTsvcCDA.EXE D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\System32\wbem\unsecapp.exe D:\WINDOWS\system32\wuauclt.exe D:\Documents and Settings\Tim\Desktop\HijackThis.exe F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,anxfeqe.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O4 - HKLM\..\Run: [NVRaidService] D:\WINDOWS\System32\nvraidservice.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [sys0203371697-6] D:\WINDOWS\sys0203371697-6.exe O4 - HKLM\..\Run: [w7917a04.dll] RUNDLL32.EXE w7917a04.dll,I2 000dcc1d07917a04 O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [newname] c:\\newname21.exe O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s O4 - HKLM\..\Run: [keyboard] c:\\keyboard21.exe O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [Aim6] "D:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [Creative MediaSource Go] "D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139343355078 O20 - Winlogon Notify: Setup - D:\WINDOWS\system32\gpjml3111.dll (file missing) O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - D:\WINDOWS\alg.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

05-25-2006, 11:41 PM	#7 (permalink)
Jespin Registered User Join Date: May 2006 Posts: 10 OS: WinXP	I've done everything you said but I was unable to remove D:\WINDOWS\system32\wapisvit.exe because it was in use. Volume in drive D has no label. Volume Serial Number is FCCE-C47B Directory of D:\Program Files 05/14/2006 08:28 AM <DIR> ??sks 0 File(s) 0 bytes Directory of D:\Documents and Settings\Tim\Desktop Directory of D:\Documents and Settings\Tim\Desktop Directory of D:\Documents and Settings\Tim\Desktop 05/25/2006 05:48 PM 0 files.txt 1 File(s) 0 bytes 0 Dir(s) 30,339,117,056 bytes free --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 9:50:55 PM, 5/25/2006 + Report-Checksum: 3EC90B7D + Scan result: D:\Documents and Settings\LocalService\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned with backup D:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup D:\Program Files\EQAdvice\EQAdvice.exe -> Adware.CASClient : Cleaned with backup D:\Program Files\Таsks\SKS~1\!update-3820.0000 -> Downloader.PurityScan.cl : Cleaned with backup D:\Program Files\Таsks\spoolsv.exe -> Downloader.PurityScan.cl : Cleaned with backup D:\WINDOWS\876056.exe -> Adware.Mirar : Cleaned with backup D:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup D:\WINDOWS\system32\srcjowa.dll -> Adware.PurityScan : Cleaned with backup D:\WINDOWS\system32\ѕymbols\wυauclt.exe -> Adware.PurityScan : Cleaned with backup ::Report End Incident Status Location Adware:adware/commad Not disinfected Windows Registry Adware:adware/dyfuca Not disinfected Windows Registry Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[Beyond.class] Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[NudeBox.class] Virus:Trj/ClassLoader.P Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[Worker.class] Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[VerifierBug.class] Virus:Trj/Ranky.LG Disinfected D:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7b81d802-36915bba.zip[javautil.zip] Virus:Trj/Clicker.QE Disinfected D:\Program Files\Common Files\simtest\sysstall.exe Adware:Adware/CommAd Not disinfected D:\WINDOWS\dGlt\x35Q.vbs

05-25-2006, 11:44 PM	#8 (permalink)
Jespin Registered User Join Date: May 2006 Posts: 10 OS: WinXP	Logfile of HijackThis v1.99.1 Scan saved at 10:33:38 PM, on 5/25/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\CTsvcCDA.EXE D:\Program Files\ewido anti-malware\ewidoctrl.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\System32\nvraidservice.exe D:\WINDOWS\system32\RUNDLL32.EXE D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe D:\WINDOWS\CTHELPER.EXE D:\WINDOWS\system32\CTXFIHLP.EXE D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\WINDOWS\SYSTEM32\CTXFISPI.EXE D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe D:\WINDOWS\System32\wbem\unsecapp.exe D:\WINDOWS\system32\NOTEPAD.EXE D:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\Documents and Settings\Tim\Desktop\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O4 - HKLM\..\Run: [NVRaidService] D:\WINDOWS\System32\nvraidservice.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [Aim6] "D:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [Creative MediaSource Go] "D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139343355078 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - D:\WINDOWS\alg.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

05-26-2006, 07:23 PM	#10 (permalink)
Jespin Registered User Join Date: May 2006 Posts: 10 OS: WinXP	I haven't done the steps above yet, but my system is behaving fine so far. No more pop-ups.

05-26-2006, 08:58 PM	#12 (permalink)
Jespin Registered User Join Date: May 2006 Posts: 10 OS: WinXP	------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Friday, May 26, 2006 7:57:27 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 27/05/2006 Kaspersky Anti-Virus database records: 196609 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 80278 Number of viruses found: 23 Number of infected objects: 71 Number of suspicious objects: 0 Duration of the scan process: 01:07:26 Infected Object Name / Virus Name / Last Action C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026099.pif Infected: Trojan-Downloader.Win32.Adload.bm skipped C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026103.exe Infected: Trojan-Downloader.Win32.Adload.bm skipped C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026105.pif Infected: Trojan-Downloader.Win32.Adload.bm skipped C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026109.pif Infected: Trojan-Downloader.Win32.Adload.bm skipped C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026110.exe Infected: Trojan-Downloader.Win32.Adload.bm skipped C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP188\A0026112.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026590.exe Infected: not-a-virus:AdWare.Win32.SmartLoad.c skipped C:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026598.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped D:\Program Files\BitTorrent\uninstall.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped D:\Program Files\BitTorrent\uninstall.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped D:\Program Files\BitTorrent\uninstall.exe NSIS: infected - 2 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026008.exe Infected: Trojan-Downloader.Win32.VB.tw skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026010.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026014.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026084.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026085.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026086.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP187\A0026089.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ao skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026278.exe CAB: infected - 5 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026295.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026296.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026297.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ao skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026301.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026312.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026324.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026325.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002/data0011 Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe/data0002 Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026330.exe NSIS: infected - 8 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026331.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP191\A0026332.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP200\A0026481.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP200\A0026483.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP200\A0026484.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026585.exe Infected: Trojan-Downloader.Win32.VB.nw skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026608.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026610.dll Infected: not-a-virus:AdWare.Win32.Mirar.b skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026611.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026612.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.k skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026612.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026613.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.l skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026613.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026614.exe Infected: Trojan-Downloader.Win32.VB.tw skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026615.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026615.exe/data0003 Infected: Trojan.Win32.VB.tg skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026615.exe/data0006 Infected: Trojan.Win32.VB.tg skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026615.exe/data0007 Infected: Trojan.Win32.VB.tg skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026615.exe NSIS: infected - 4 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026639.exe Infected: not-a-virus:AdWare.Win32.CASClient.l skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026642.exe RarSFX: infected - 6 skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026643.exe Infected: not-a-virus:AdWare.Win32.CASClient.k skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026645.exe Infected: not-a-virus:AdWare.Win32.Mirar.d skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026646.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped D:\System Volume Information\_restore{1231BBB5-CAD6-4C47-9A46-73BB88BC05AF}\RP203\A0026647.exe Infected: not-a-virus:AdWare.Win32.PurityScan.dv skipped Scan process completed.

05-26-2006, 08:59 PM	#13 (permalink)
Jespin Registered User Join Date: May 2006 Posts: 10 OS: WinXP	Logfile of HijackThis v1.99.1 Scan saved at 7:58:58 PM, on 5/26/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe D:\WINDOWS\system32\CTsvcCDA.EXE D:\Program Files\ewido anti-malware\ewidoctrl.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\System32\nvraidservice.exe D:\WINDOWS\system32\RUNDLL32.EXE D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe D:\WINDOWS\CTHELPER.EXE D:\WINDOWS\system32\CTXFIHLP.EXE D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe D:\WINDOWS\SYSTEM32\CTXFISPI.EXE D:\WINDOWS\System32\wbem\unsecapp.exe D:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\Documents and Settings\Tim\Desktop\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O4 - HKLM\..\Run: [NVRaidService] D:\WINDOWS\System32\nvraidservice.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1144220365\ee\AOLSoftware.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [Aim6] "D:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [Creative MediaSource Go] "D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139343355078 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

05-26-2006, 09:33 PM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	Good job. My favorite part now.... Those Kaspersky finds are in System Restore and will be removed when we flush the old Restore Points and create a new clean one shortly. Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address. Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Please ensure that you have already patched your system against the recent WMF exploit. Go to this page to get the KB912919 patch. Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Download IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are two very good free Antivirus products which are available: Avast! AVG If you do not have a firewall, here are 4 free ones available for personal use: ZoneAlarm Avast Antivirus/Firewall Tiny Personal Firewall OutPost Firewall In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-27-2006, 08:10 AM	#15 (permalink)
Jespin Registered User Join Date: May 2006 Posts: 10 OS: WinXP	Thank you so much for everything you've done.