winantivirus pro 2006 popups

thwah · 08-04-2006, 01:08 AM

hi, I've done all the things that u said before posting here like using adaware, spybot and cwshredder to kill the popups. well, seems like it really like my computer and not wanting to go away. so here I am asking for your help to get the bugger off.

Thanks in advance

My hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:54:36 AM, on 8/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\System32\vturo.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {28CE69A2-7736-4893-AB6D-575B3E738E34} (Project1.ctlProxy) - http://www.rogershelp.com/yahoo/conn...s/ctlProxy.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119902474390
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9BE1C2B-5884-4DA7-9D50-88FE51BE718A}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: vturo - C:\WINDOWS\System32\vturo.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

sUBs · 08-04-2006, 08:23 AM

1. Download this file -

http://download.bleepingcomputer.com/sUBs/combofix.exe

http://www.techsupportforum.com/sectools/combofix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop

2. Go to Start > Run - paste in the following command & click OK

"%userprofile%\desktop\combofix.exe" /v vturo

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

thwah · 08-04-2006, 10:50 AM

man oh man you guys r fast. didn't expected to get reply in such a short time. anyway, thank you once again.

My log:

Start Time= 06-08-04 12:40:44.37
Running from: F:\temp\SYSTEM\E-GOR\

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.bak2
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\drivers\dp.sys

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\msresearch1.dat

((((((((((((((((((((((((((((((( Files Created from 2006-07-04 to 2006-08-04 ))))))))))))))))))))))))))))))))))

2006-07-29 01:46 98,304 C:\WINDOWS\system32\CmdLineExt.dll
2006-07-29 01:31 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-29 01:31 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-29 01:31 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-29 01:31 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-29 01:31 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-29 01:31 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-29 01:31 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-29 01:31 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-25 01:38 65,556 C:\WINDOWS\system32\ytohdngw.exe
2006-07-21 01:36 17,750 C:\WINDOWS\system32\vqbgvgea.exe
2006-07-17 01:53 20,480 C:\WINDOWS\system32\hidserv.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-04 12:39 ------- d-------- C:\Program Files\Mozilla Firefox
2006-08-04 12:31 ------- d-------- C:\Program Files\FlashGet
2006-08-03 17:33 ------- d-------- C:\Program Files\xerox
2006-08-03 16:56 ------- d-------- C:\Program Files\palmOne
2006-08-03 16:51 ------- d-------- C:\Program Files\jv16 PowerTools
2006-08-03 15:16 ------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-07-29 01:46 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-07-29 01:46 ------- d-------- C:\Program Files\D-Tools
2006-07-29 01:21 ------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-25 21:52 ------- d-------- C:\Documents and Settings\E-gor\Application Data\AdobeUM
2006-07-25 01:38 65556 --a------ C:\WINDOWS\system32\ytohdngw.exe
2006-07-24 00:54 ------- d-------- C:\Program Files\ICQ
2006-07-24 00:04 ------- d-------- C:\Program Files\EmpirePokerMaster
2006-07-21 01:36 17750 --a------ C:\WINDOWS\system32\vqbgvgea.exe
2006-07-18 15:58 ------- d-------- C:\Program Files\MSN Messenger
2006-07-18 03:50 ------- d-------- C:\Program Files\TheWeatherNetwork
2006-07-17 01:52 ------- d-------- C:\Program Files\Logitech
2006-07-17 01:52 ------- d-------- C:\Program Files\Common Files\Logitech
2006-07-17 01:52 ------- d-------- C:\Program Files\Common Files
2006-06-25 15:18 ------- d---s---- C:\Documents and Settings\E-gor\Application Data\Microsoft
2006-06-21 04:50 ------- d-------- C:\Documents and Settings\E-gor\Application Data\Azureus
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-06-15 01:24 ------- d-------- C:\Program Files\Sony ImageStation XPRESS
2006-06-08 23:55 ------- d-------- C:\Program Files\The Weather Channel FW
2006-06-08 23:53 ------- d-------- C:\Program Files\Movie Splitter
2006-06-08 23:52 ------- d--h----- C:\Program Files\Uninstall Information
2006-06-08 23:52 ------- d-------- C:\Program Files\Outlook Express
2006-06-08 23:52 ------- d-------- C:\Program Files\Internet Explorer
2006-06-08 23:52 ------- d-------- C:\Program Files\Common Files\System
2006-06-08 23:52 ------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-06-08 23:51 ------- d-------- C:\Program Files\Microsoft ActiveSync
2006-06-08 23:47 ------- d-------- C:\Program Files\Adobe
2006-05-18 22:27 2508 --a------ C:\Documents and Settings\E-gor\Application Data\$_hpcst$.hpc
2006-05-18 13:00 176167 --a------ C:\WINDOWS\system32\rmoc3260.dll
2006-05-18 12:59 6656 --a------ C:\WINDOWS\system32\pndx5016.dll
2006-05-18 12:59 5632 --a------ C:\WINDOWS\system32\pndx5032.dll
2006-05-18 12:59 278528 --a------ C:\WINDOWS\system32\pncrt.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE USB PC Camera 301P"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"CoolSwitch"="C:\\WINDOWS\\System32\\taskswitch.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"WallpaperChanger"="C:\\Program Files\\Wallpaper Master\\Wallpaper.exe"
"DW4"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000
"NoWinKeys"=hex:00,00,00,00
"NoMovingBands"=dword:00000001
"NoDriveAutoRun"=hex:ff,ff,ff,03

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowCpl]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictCpl]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
"backup"="C:\\WINDOWS\\pss\\ATI CATALYST System Tray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ATITEC~1\\ATI.ACE\\CLI.exe SystemTray"
"item"="ATI CATALYST System Tray"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTouch"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"inimapping"="0"

Contents of the 'Scheduled Tasks' folder

Completion time: Fri 08/04/2006 12:42:55.78
ComboFix ver 06.08.04 - This logfile is located at C:\ComboFix.txt

ComboFix.txt

sUBs · 08-04-2006, 02:09 PM

Please read this post completely before begining. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *

Download & install CleanUp.exe (not recommended for WinXP64)

Download Dr.Web CureIt & save it on desktop. We shall be using it later

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O18 - Filter: text/html - (no CLSID) - (no file)

* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *

Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:

Need2Find

Please note any other programs that you dont recognize in that list in your next response

* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

C:\WINDOWS\system32\ytohdngw.exe
C:\WINDOWS\system32\vqbgvgea.exe
C:\Program Files\Need2Find

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Delete Cookies

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!

* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

** The scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

* * * * * * REBOOT * * * * * * * * * * * * * *

Perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis log

ComboFix

Dr.Web

Online Scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

sUBs · 08-04-2006, 02:10 PM

This is to be performed after you have posted the required logs, I require you to update your copy of Sun's java. Older versions of Java have been identified as entry points for malware.

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options'
Please find the Update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:

http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under the Advanced Tab, click <Applet> tag support and select the browser(s) you are using.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- Downloaded Applets
  Downloaded Applications
  Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

thwah · 08-05-2006, 10:35 PM

woo, it sure took me a while to do all the procedures, but it definitely worth the time and effort. thx for your help and time. anyway, back to the topic, you asked me to uninstall Need2Find and delete the folder of it but I couldn't it. I guess I uninstalled and deleted the folder already. for everything else, it went smoothly.

HiJackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:23:57 AM, on 8/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {28CE69A2-7736-4893-AB6D-575B3E738E34} (Project1.ctlProxy) - http://www.rogershelp.com/yahoo/conn...s/ctlProxy.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119902474390
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9BE1C2B-5884-4DA7-9D50-88FE51BE718A}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

ComboFix Log:

Start Time= 06-08-06 0:22:39.21
Running from: F:\temp\SYSTEM\E-GOR\

((((((((((((((((((((((((((((((( Files Created from 2006-07-06 to 2006-08-06 ))))))))))))))))))))))))))))))))))

2006-08-05 23:44 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-05 23:44 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-29 01:46 98,304 C:\WINDOWS\system32\CmdLineExt.dll
2006-07-29 01:31 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-29 01:31 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-29 01:31 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-29 01:31 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-29 01:31 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-29 01:31 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-29 01:31 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-29 01:31 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-17 01:53 20,480 C:\WINDOWS\system32\hidserv.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-06 00:00 ------- d-------- C:\Program Files\Internet Explorer
2006-08-06 00:00 ------- d-------- C:\Program Files\Google
2006-08-06 00:00 ------- d-------- C:\Program Files\FlashGet
2006-08-05 23:38 ------- d-------- C:\Program Files\Mozilla Firefox
2006-08-05 22:33 ------- d-------- C:\Program Files\Mozilla Thunderbird
2006-08-05 22:33 ------- d-------- C:\Documents and Settings\E-gor\Application Data\Azureus
2006-08-05 22:21 ------- d-------- C:\Program Files\jv16 PowerTools
2006-08-03 17:33 ------- d-------- C:\Program Files\xerox
2006-08-03 16:56 ------- d-------- C:\Program Files\palmOne
2006-08-03 15:16 ------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-07-29 01:46 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-07-29 01:46 ------- d-------- C:\Program Files\D-Tools
2006-07-29 01:21 ------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-25 21:52 ------- d-------- C:\Documents and Settings\E-gor\Application Data\AdobeUM
2006-07-24 00:54 ------- d-------- C:\Program Files\ICQ
2006-07-24 00:04 ------- d-------- C:\Program Files\EmpirePokerMaster
2006-07-18 15:58 ------- d-------- C:\Program Files\MSN Messenger
2006-07-18 03:50 ------- d-------- C:\Program Files\TheWeatherNetwork
2006-07-17 01:52 ------- d-------- C:\Program Files\Logitech
2006-07-17 01:52 ------- d-------- C:\Program Files\Common Files\Logitech
2006-07-17 01:52 ------- d-------- C:\Program Files\Common Files
2006-06-25 15:18 ------- d---s---- C:\Documents and Settings\E-gor\Application Data\Microsoft
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-06-15 01:24 ------- d-------- C:\Program Files\Sony ImageStation XPRESS
2006-06-08 23:55 ------- d-------- C:\Program Files\The Weather Channel FW
2006-06-08 23:53 ------- d-------- C:\Program Files\Movie Splitter
2006-06-08 23:52 ------- d--h----- C:\Program Files\Uninstall Information
2006-06-08 23:52 ------- d-------- C:\Program Files\Outlook Express
2006-06-08 23:52 ------- d-------- C:\Program Files\Common Files\System
2006-06-08 23:52 ------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-06-08 23:51 ------- d-------- C:\Program Files\Microsoft ActiveSync
2006-06-08 23:47 ------- d-------- C:\Program Files\Adobe
2006-05-18 22:27 2508 --a------ C:\Documents and Settings\E-gor\Application Data\$_hpcst$.hpc
2006-05-18 13:00 176167 --a------ C:\WINDOWS\system32\rmoc3260.dll
2006-05-18 12:59 6656 --a------ C:\WINDOWS\system32\pndx5016.dll
2006-05-18 12:59 5632 --a------ C:\WINDOWS\system32\pndx5032.dll
2006-05-18 12:59 278528 --a------ C:\WINDOWS\system32\pncrt.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE USB PC Camera 301P"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"CoolSwitch"="C:\\WINDOWS\\System32\\taskswitch.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"WallpaperChanger"="C:\\Program Files\\Wallpaper Master\\Wallpaper.exe"
"DW4"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000
"NoWinKeys"=hex:00,00,00,00
"NoMovingBands"=dword:00000001
"NoDriveAutoRun"=hex:ff,ff,ff,03

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowCpl]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictCpl]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
"backup"="C:\\WINDOWS\\pss\\ATI CATALYST System Tray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ATITEC~1\\ATI.ACE\\CLI.exe SystemTray"
"item"="ATI CATALYST System Tray"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTouch"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"inimapping"="0"

Contents of the 'Scheduled Tasks' folder

Completion time: Sun 08/06/2006 0:23:15.23
ComboFix ver 06.08.04 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt

Dr.Web Log:

UERS_0001_N82M1105NetInstaller.exe;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.10346;Deleted.;

Online Scan:

Incident Status Location

Adware:adware/cydoor Not disinfected c:\windows\system32\AdCache
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.spylog.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.com.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.go.com/]
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.paycounter.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[image.checkmystats.com.au/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\E-gor\Application Data\Mozilla\Firefox\Profiles\o7k6ryng.default\cookies.txt[stat.onestat.com/]
Virus:Trj/Mitglieder.FL Disinfected C:\Documents and Settings\E-gor\Application Data\Thunderbird\Profiles\f5x20eca.default\Mail\pop.broadband.rogers.com\Inbox[Health_and_knowledge.zip][Text5546_exe.VIR]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\E-gor\Cookies\e-gor@ad.yieldmanager[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\E-gor\Cookies\e-gor@atdmt[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\E-gor\Cookies\e-gor@casalemedia[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\E-gor\Cookies\e-gor@fastclick[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\E-gor\Cookies\e-gor@stats1.reliablestats[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies-10.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies-11.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies-2.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies-3.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies-4.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies-5.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies-6.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies-7.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies-8.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies-9.txt[.atwola.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.atwola.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.centrport.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.ehg-ati.hitbox.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.findwhat.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.com.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.xiti.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.rn11.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[c.enhance.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[ad.yieldmanager.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.questionmarket.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.atdmt.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.247realmedia.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.targetnet.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.perf.overture.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.casalemedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.realmedia.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.ads.addynamix.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.com.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.tribalfusion.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.zedo.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.as-us.falkag.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.mediaplex.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.statcounter.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[data.coremetrics.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.valueclick.com/]
Spyware:Cookie/Qsrch Not disinfected C:\Documents and Settings\Tangs\Application Data\Mozilla\Firefox\Profiles\e26z0w5s.default\cookiesnew.txt[.qsrch.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@ad.yieldmanager[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@ads.pointroll[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@belnk[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@doubleclick[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@errorsafe[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@mediaplex[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@realmedia[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@searchportal.information[2].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@spywarestormer[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@stats1.reliablestats[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@statse.webtrendslive[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@target[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Tangs\Cookies\tangs@toplist[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003020.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003020.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003020.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003021.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003021.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003021.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003022.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003022.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003022.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003023.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003023.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003023.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003024.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003024.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003024.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003025.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003025.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003025.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003026.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003026.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003026.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003028.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003028.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003028.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003029.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003029.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003029.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003035.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003035.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003035.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003036.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003036.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003036.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003037.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003037.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003037.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003041.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003041.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003041.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003042.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003042.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003042.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003043.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003043.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003043.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003044.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003044.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003044.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003045.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003045.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003045.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003046.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003046.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003046.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003047.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003047.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003047.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003048.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003048.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003048.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003049.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003049.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003049.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003050.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003050.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003050.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003053.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003053.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003053.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003054.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003054.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003054.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003058.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003058.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003058.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003060.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003060.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003060.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003061.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003061.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003061.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003062.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003062.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003062.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003075.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003075.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003075.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003170.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003170.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003170.MOZ[.ehg-nvidia.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003171.MOZ[.ehg-dig.hitbox.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00003171.MOZ[.atwola.com/]
Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\NPROTECT\00003171.MOZ[.ehg-nvidia.hitbox.com/]
Adware:Adware/CommAd Not disinfected C:\WINDOWS\RS1nb3IA\G0TGPwWV4DKXEaDS.vbs

sUBs · 08-06-2006, 01:11 AM

Please read the rest of this post completely before begining the fix.

Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer =

* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (make sure you get ALL of them)

c:\windows\system32\AdCache
C:\WINDOWS\RS1nb3IA\

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Delete Cookies

4. Click OK
5. Press the CleanUp! button to start the program.

Reboot & post a fresh HJT log

thwah · 08-06-2006, 05:44 PM

Logfile of HijackThis v1.99.1
Scan saved at 19:42, on 06-08-06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\devldr32.exe
C:\hjt\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {28CE69A2-7736-4893-AB6D-575B3E738E34} (Project1.ctlProxy) - http://www.rogershelp.com/yahoo/conn...s/ctlProxy.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119902474390
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9BE1C2B-5884-4DA7-9D50-88FE51BE718A}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

sUBs · 08-06-2006, 07:11 PM

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

thwah · 08-07-2006, 02:48 AM

thank you very much for your help and time. appreciate it. will follow your suggestions.

08-04-2006, 01:08 AM	#1 (permalink)
thwah Registered User Join Date: Oct 2005 Posts: 7 OS: winxp	winantivirus pro 2006 popups hi, I've done all the things that u said before posting here like using adaware, spybot and cwshredder to kill the popups. well, seems like it really like my computer and not wanting to go away. so here I am asking for your help to get the bugger off. Thanks in advance My hijackthis log Logfile of HijackThis v1.99.1 Scan saved at 2:54:36 AM, on 8/4/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\VM_STI.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\System32\taskswitch.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\WINDOWS\explorer.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\System32\vturo.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - O16 - DPF: {28CE69A2-7736-4893-AB6D-575B3E738E34} (Project1.ctlProxy) - http://www.rogershelp.com/yahoo/conn...s/ctlProxy.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119902474390 O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C9BE1C2B-5884-4DA7-9D50-88FE51BE718A}: NameServer = 192.168.0.1 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Filter: text/html - (no CLSID) - (no file) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: vturo - C:\WINDOWS\System32\vturo.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

08-04-2006, 08:23 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,338 OS: N/A	1. Download this file - http://download.bleepingcomputer.com/sUBs/combofix.exe http://www.techsupportforum.com/sectools/combofix.exe * IMPORTANT !!! Place combofix.exe on your Desktop 2. Go to Start > Run - paste in the following command & click OK "%userprofile%\desktop\combofix.exe" /v vturo 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Question - what have you done for the community today?

08-04-2006, 02:09 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,338 OS: N/A	Please read this post completely before begining. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. * * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * * Download & install CleanUp.exe (not recommended for WinXP64) Download Dr.Web CureIt & save it on desktop. We shall be using it later 'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. * * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * * Do a HijackThis scan & place a check next to these items and select "Fix checked": O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing) O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - O18 - Filter: text/html - (no CLSID) - (no file) * * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * * Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs: Need2Find Please note any other programs that you dont recognize in that list in your next response * * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools -> Folder Options -> View tab. Tick - 'Show hidden files and folder' Untick - 'Hide file extensions for known types' Untick - 'Hide protected operating system files' Click Yes to confirm & then click OK Locate and delete the following files/folders: (let me know if you fail to find/delete any) C:\WINDOWS\system32\ytohdngw.exe C:\WINDOWS\system32\vqbgvgea.exe C:\Program Files\Need2Find * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Delete Cookies 4. Click OK 5. Press the CleanUp! button to start the program. 6. Do NOT reboot/logoff if prompted. * CleanUp! will not create any backups!! * * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * * Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. ** The scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. * * * * * * REBOOT * * * * * * * * * * * * * * Perform an online scan with Internet Explorer with Panda ActiveScan Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh logs from: HiJackThis log ComboFix Dr.Web Online Scan Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today?

08-04-2006, 02:10 PM	#5 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,338 OS: N/A	This is to be performed after you have posted the required logs, I require you to update your copy of Sun's java. Older versions of Java have been identified as entry points for malware. Updating Java and Clearing Cache Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel. It will say "Java Plug-in" under the icon. If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options' Please find the Update button or tab in the Java Control Panel. Update your Java then reboot. If you are unable to update you can manually update by going here: http://www.java.com/en/download/manual.jsp After the reboot, go back into the Control Panel and double-click the Java Icon. Under the Advanced Tab, click <Applet> tag support and select the browser(s) you are using. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. __________________ Question - what have you done for the community today?

08-06-2006, 01:11 AM	#7 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,338 OS: N/A	Please read the rest of this post completely before begining the fix. Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards. SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain * * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * * Do a HijackThis scan & place a check next to these items and select "Fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = * * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools -> Folder Options -> View tab. Tick - 'Show hidden files and folder' Untick - 'Hide file extensions for known types' Untick - 'Hide protected operating system files' Click Yes to confirm & then click OK Locate and delete the following files/folders: (make sure you get ALL of them) c:\windows\system32\AdCache C:\WINDOWS\RS1nb3IA\ * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Delete Cookies 4. Click OK 5. Press the CleanUp! button to start the program. Reboot & post a fresh HJT log __________________ Question - what have you done for the community today?

08-04-2006, 10:50 AM	#3 (permalink)
thwah Registered User Join Date: Oct 2005 Posts: 7 OS: winxp	man oh man you guys r fast. didn't expected to get reply in such a short time. anyway, thank you once again. My log: Start Time= 06-08-04 12:40:44.37 Running from: F:\temp\SYSTEM\E-GOR\ (((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log ))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\vturo.dll C:\WINDOWS\system32\orutv.bak1 C:\WINDOWS\system32\orutv.bak2 C:\WINDOWS\system32\orutv.ini C:\WINDOWS\system32\drivers\dp.sys * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\msresearch1.dat ((((((((((((((((((((((((((((((( Files Created from 2006-07-04 to 2006-08-04 )))))))))))))))))))))))))))))))))) 2006-07-29 01:46 98,304 C:\WINDOWS\system32\CmdLineExt.dll 2006-07-29 01:31 62,672 C:\WINDOWS\system32\xinput1_1.dll 2006-07-29 01:31 61,136 C:\WINDOWS\system32\xinput9_1_0.dll 2006-07-29 01:31 230,096 C:\WINDOWS\system32\xactengine2_0.dll 2006-07-29 01:31 229,584 C:\WINDOWS\system32\xactengine2_1.dll 2006-07-29 01:31 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll 2006-07-29 01:31 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll 2006-07-29 01:31 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll 2006-07-29 01:31 14,032 C:\WINDOWS\system32\x3daudio1_0.dll 2006-07-25 01:38 65,556 C:\WINDOWS\system32\ytohdngw.exe 2006-07-21 01:36 17,750 C:\WINDOWS\system32\vqbgvgea.exe 2006-07-17 01:53 20,480 C:\WINDOWS\system32\hidserv.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-08-04 12:39 ------- d-------- C:\Program Files\Mozilla Firefox 2006-08-04 12:31 ------- d-------- C:\Program Files\FlashGet 2006-08-03 17:33 ------- d-------- C:\Program Files\xerox 2006-08-03 16:56 ------- d-------- C:\Program Files\palmOne 2006-08-03 16:51 ------- d-------- C:\Program Files\jv16 PowerTools 2006-08-03 15:16 ------- d-------- C:\Program Files\Spybot - Search & Destroy 2006-07-29 01:46 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2006-07-29 01:46 ------- d-------- C:\Program Files\D-Tools 2006-07-29 01:21 ------- d--h----- C:\Program Files\InstallShield Installation Information 2006-07-25 21:52 ------- d-------- C:\Documents and Settings\E-gor\Application Data\AdobeUM 2006-07-25 01:38 65556 --a------ C:\WINDOWS\system32\ytohdngw.exe 2006-07-24 00:54 ------- d-------- C:\Program Files\ICQ 2006-07-24 00:04 ------- d-------- C:\Program Files\EmpirePokerMaster 2006-07-21 01:36 17750 --a------ C:\WINDOWS\system32\vqbgvgea.exe 2006-07-18 15:58 ------- d-------- C:\Program Files\MSN Messenger 2006-07-18 03:50 ------- d-------- C:\Program Files\TheWeatherNetwork 2006-07-17 01:52 ------- d-------- C:\Program Files\Logitech 2006-07-17 01:52 ------- d-------- C:\Program Files\Common Files\Logitech 2006-07-17 01:52 ------- d-------- C:\Program Files\Common Files 2006-06-25 15:18 ------- d---s---- C:\Documents and Settings\E-gor\Application Data\Microsoft 2006-06-21 04:50 ------- d-------- C:\Documents and Settings\E-gor\Application Data\Azureus 2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll 2006-06-15 01:24 ------- d-------- C:\Program Files\Sony ImageStation XPRESS 2006-06-08 23:55 ------- d-------- C:\Program Files\The Weather Channel FW 2006-06-08 23:53 ------- d-------- C:\Program Files\Movie Splitter 2006-06-08 23:52 ------- d--h----- C:\Program Files\Uninstall Information 2006-06-08 23:52 ------- d-------- C:\Program Files\Outlook Express 2006-06-08 23:52 ------- d-------- C:\Program Files\Internet Explorer 2006-06-08 23:52 ------- d-------- C:\Program Files\Common Files\System 2006-06-08 23:52 ------- d-------- C:\Program Files\Common Files\Microsoft Shared 2006-06-08 23:51 ------- d-------- C:\Program Files\Microsoft ActiveSync 2006-06-08 23:47 ------- d-------- C:\Program Files\Adobe 2006-05-18 22:27 2508 --a------ C:\Documents and Settings\E-gor\Application Data\$_hpcst$.hpc 2006-05-18 13:00 176167 --a------ C:\WINDOWS\system32\rmoc3260.dll 2006-05-18 12:59 6656 --a------ C:\WINDOWS\system32\pndx5016.dll 2006-05-18 12:59 5632 --a------ C:\WINDOWS\system32\pndx5032.dll 2006-05-18 12:59 278528 --a------ C:\WINDOWS\system32\pncrt.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "BigDogPath"="C:\\WINDOWS\\VM_STI.EXE USB PC Camera 301P" "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay" "CoolSwitch"="C:\\WINDOWS\\System32\\taskswitch.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe" "WallpaperChanger"="C:\\Program Files\\Wallpaper Master\\Wallpaper.exe" "DW4"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoLowDiskSpaceChecks"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "NoDrives"=dword:00000000 "NoViewOnDrive"=dword:00000000 "NoWinKeys"=hex:00,00,00,00 "NoMovingBands"=dword:00000001 "NoDriveAutoRun"=hex:ff,ff,ff,03 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowCpl] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictCpl] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk] "backup"="C:\\WINDOWS\\pss\\ATI CATALYST System Tray.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\ATITEC~1\\ATI.ACE\\CLI.exe SystemTray" "item"="ATI CATALYST System Tray" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTouch" "hkey"="HKLM" "command"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe" "inimapping"="0" Contents of the 'Scheduled Tasks' folder Completion time: Fri 08/04/2006 12:42:55.78 ComboFix ver 06.08.04 - This logfile is located at C:\ComboFix.txt ComboFix.txt

08-06-2006, 05:44 PM	#8 (permalink)
thwah Registered User Join Date: Oct 2005 Posts: 7 OS: winxp	Logfile of HijackThis v1.99.1 Scan saved at 19:42, on 06-08-06 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\VM_STI.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\System32\taskswitch.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\System32\devldr32.exe C:\hjt\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {28CE69A2-7736-4893-AB6D-575B3E738E34} (Project1.ctlProxy) - http://www.rogershelp.com/yahoo/conn...s/ctlProxy.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119902474390 O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C9BE1C2B-5884-4DA7-9D50-88FE51BE718A}: NameServer = 192.168.0.1 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

08-06-2006, 07:11 PM	#9 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,338 OS: N/A	Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder) Go to Start >> Run - type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here. Microsoft Windows Update Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. Google Toolbar - Get the free google toolbar to help stop pop up windows. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?

08-07-2006, 02:48 AM	#10 (permalink)
thwah Registered User Join Date: Oct 2005 Posts: 7 OS: winxp	thank you very much for your help and time. appreciate it. will follow your suggestions.