Spyware

bigbhoy77 · 11-24-2006, 09:23 AM

Don't know if this is where i should post this problem apologies in advance if its the wrong section. I seem to have spyware on my comp i have tried various removal tools ie xoftspy, spybot, adaware, Trend Micro Anti-Spyware in safe-mode to no avail please can someone help get rid of this ?

tetonbob · 11-25-2006, 12:09 AM

Please download HijackThis to your desktop - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

bigbhoy77 · 11-25-2006, 12:19 PM

Quote:

Originally Posted by tetonbob

Please download HijackThis to your desktop - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

Sorry i did not see this reply before i used hijackthis and i just ticked all the boxes and fixed the lot.

Logfile of HijackThis v1.99.1
Scan saved at 18:11:17, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.mcafee.com/apps/vso/en-gb/...p?affid=370-21
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
O2 - BHO: (no name) - {242A5537-631F-9060-FB37-0A8C162B8D5A} - C:\WINDOWS\system32\cmhditn.dll
O2 - BHO: (no name) - {2DB595B1-F9A8-470F-812E-532FE1829A25} - (no file)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vvdkkpe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vvdkkpe.dll,agkxvbc
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [bqekkkf.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bqekkkf.dll,spnrzlb
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) -
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.euchannels.net/update/KooPlayer.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mlljk - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\
O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll
O21 - SSODL: boucicault - {0bad5052-665d-40d4-a9bd-a2891eaafb42} - C:\WINDOWS\system32\fmrmhc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

bigbhoy77 · 11-25-2006, 12:35 PM

ps hijackthis has removed the problem but my comp has been running weird since

so could you tell me which one to delete so i can restore the rest thanks

tetonbob · 11-25-2006, 02:42 PM

HJT usage is best done under the supervision of trained Helpers. You must promise not to perform any more self-help fixes while we're working together, and only do exactly as instructed. There may be some lag time between replies, but we can get this issue resolved.

If that log you posted is after you "fixed the lot", I'm not exactly sure what the issue might be causing the system to be "running weird".

That said, you have several infections which are showing.....first, let's be sure we can see everything running.

Open HJT and click on View the list of Backups.
Check each item showing and then click Restore
Click Yes.
Reboot your system.
Post a new HJT log

bigbhoy77 · 11-25-2006, 03:20 PM

Quote:

Originally Posted by tetonbob

HJT usage is best done under the supervision of trained Helpers. You must promise not to perform any more self-help fixes while we're working together, and only do exactly as instructed. There may be some lag time between replies, but we can get this issue resolved.

If that log you posted is after you "fixed the lot", I'm not exactly sure what the issue might be causing the system to be "running weird".

That said, you have several infections which are showing.....first, let's be sure we can see everything running.

Open HJT and click on View the list of Backups.
Check each item showing and then click Restore
Click Yes.
Reboot your system.
Post a new HJT log

This is the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 22:20:28, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\WINDOWS\system32\ishost.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\system32\ismini.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\AOL 9.0\waol.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.mcafee.com/apps/vso/en-gb/...p?affid=370-21
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\888.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvloz.dll,startup
O4 - HKLM\..\Run: [vvdkkpe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vvdkkpe.dll,agkxvbc
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [bqekkkf.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bqekkkf.dll,spnrzlb
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\googletoolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\googletoolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\googletoolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\googletoolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\googletoolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\googletoolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{C062FE27-5E27-443A-9A83-CCE515C41F29}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: boucicault - {0bad5052-665d-40d4-a9bd-a2891eaafb42} - C:\WINDOWS\system32\fmrmhc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

tetonbob · 11-25-2006, 03:30 PM

I'd like you to rename HijackThis.exe to happy.exe.

Navigate to C:\highjackthis\HijackThis.exe
Right click on HijackThis.exe
Select 'Rename'
Type in happy.exe
Press Enter.

Please post a new log with this renamed executable.

bigbhoy77 · 11-25-2006, 03:42 PM

Quote:

Originally Posted by tetonbob

I'd like you to rename HijackThis.exe to happy.exe.

Navigate to C:\highjackthis\HijackThis.exe
Right click on HijackThis.exe
Select 'Rename'
Type in happy.exe
Press Enter.

Please post a new log with this renamed executable.

Logfile of HijackThis v1.99.1
Scan saved at 22:43:07, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\WINDOWS\system32\ishost.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\system32\ismini.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\AOL 9.0\waol.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\highjackthis\happy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.mcafee.com/apps/vso/en-gb/...p?affid=370-21
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\uxliwckt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll
O2 - BHO: (no name) - {1577CC3B-BE9D-4D9F-9F3D-FB4C72DB7403} - C:\WINDOWS\system32\ssqpp.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
O2 - BHO: (no name) - {242A5537-631F-9060-FB37-0A8C162B8D5A} - C:\WINDOWS\system32\cmhditn.dll
O2 - BHO: (no name) - {2DB595B1-F9A8-470F-812E-532FE1829A25} - (no file)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\888.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\888.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvloz.dll,startup
O4 - HKLM\..\Run: [vvdkkpe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vvdkkpe.dll,agkxvbc
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [bqekkkf.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bqekkkf.dll,spnrzlb
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\googletoolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\googletoolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\googletoolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\googletoolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\googletoolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\googletoolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{C062FE27-5E27-443A-9A83-CCE515C41F29}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mlljk - C:\WINDOWS\
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\
O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll
O21 - SSODL: boucicault - {0bad5052-665d-40d4-a9bd-a2891eaafb42} - C:\WINDOWS\system32\fmrmhc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

tetonbob · 11-25-2006, 04:07 PM

OK, now we can see most of the junk that's clogging your system. This will take some time.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

---------------------------------------------------------------------------------------------

I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run AVG Anti-Spyware

From the main screen, click on update, then click the Start
update button.
After the update finishes (the status bar at the bottom will display "Update
successful")
select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Exit AVG Anti-Spyware. DO NOT scan yet.

---------------------------------------------------------------------------------------------

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

We'll use this later.

Download combofix.exe to your desktop.

* IMPORTANT !!! Place it on your Desktop. We'll use this shortly.

-------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
O2 - BHO: (no name) - {2DB595B1-F9A8-470F-812E-532FE1829A25} - (no file)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\888.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\888.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvloz.dll,startup
O4 - HKLM\..\Run: [vvdkkpe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vvdkkpe.dll,agkxvbc
O4 - HKLM\..\Run: [bqekkkf.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bqekkkf.dll,spnrzlb
O20 - Winlogon Notify: mlljk - C:\WINDOWS\
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\

Close HijackThis now.

---------------------------------------------------------------------------------------------

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\combofix.exe" /v winwea32 ssqpp mlljk bqekkkf vvdkkpe drvloz cmhditn vorenbj uxliwckt

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Toolbar 888
VS Add-in for Internet Explorer

---------------------------------------------------------------------------------------------

Delete the following if they exist:

C:\Program Files\VSAdd-in

---------------------------------------------------------------------------------------------

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

---------------------------------------------------------------------------------------------

Clean out your Temporary Internet files.

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Then post the following logs in your next reply...

C:\ComboFix.txt
C:\rapport.txt (log from the SmitfraudFix tool)
AVG Anti-Spyware log
Panda log
Hijackthis log

bigbhoy77 · 11-26-2006, 04:31 AM

"%userprofile%\desktop\combofix.exe" /v winwea32 ssqpp mlljk bqekkkf vvdkkpe drvloz cmhditn vorenbj uxliwckt

was waiting on this to finish so i could post the log must have waited about 15mins then it just disappeared and now i have a blank desktop?

bigbhoy77 · 11-26-2006, 05:01 AM

Toolbar 888
VS Add-in for Internet Explorer

---------------------------------------------------------------------------------------------

Delete the following if they exist:

C:\Program Files\VSAdd-

dont have Toolbar 888 or C:Program Files\VSAdd-

but have VS Add-in for Internet Explorer but wont let me romove for add/remove programs

bigbhoy77 · 11-26-2006, 05:17 AM

Sorry couldn't get a log from Combofix

*****************************************************

SmitFraudFix v2.124

Scan done at 12:05:10.17, 06-11-26
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0bad5052-665d-40d4-a9bd-a2891eaafb42}"="boucicault"

[HKEY_CLASSES_ROOT\CLSID\{0bad5052-665d-40d4-a9bd-a2891eaafb42}\InProcServer32]
@="C:\WINDOWS\system32\fmrmhc.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0bad5052-665d-40d4-a9bd-a2891eaafb42}\InProcServer32]
@="C:\WINDOWS\system32\fmrmhc.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\fmrmhc.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\fmrmhc.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\Program Files\Safety Bar\ Deleted
C:\Program Files\Virus-Bursters\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

******************************************************

bigbhoy77 · 11-26-2006, 08:31 AM

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 13:35 06-11-26

+ Scan result:

C:\Program Files\VSAdd-in\__delete_on_reboot__V_S_A_d_d_-_i_n_._d_l_l_ -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP37\A0038573.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\Documents and Settings\David\Desktop\Unused Desktop Shortcuts\setup.exe -> Adware.Dudu : Cleaned with backup (quarantined).
HKU\S-1-5-21-1955736025-1686106311-2215792801-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP37\A0038424.dll -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kurttpfc.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\quougvpx.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\MyToolBar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\Uninstall.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{E4F9BF1A-0710-2057-0121-06101905002c}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{E4F9BF1A-0710-2057-0121-06101905002c}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP35\A0038262.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP36\A0038342.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP37\A0038382.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP37\A0038408.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP39\A0038760.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP39\A0038761.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\khfgdba.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP1\A0000087.exe -> Downloader.Zlob : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP1\A0000088.exe -> Downloader.Zlob : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP39\A0038895.dll -> Downloader.Zlob : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP36\A0038341.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\puw4x2lb.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.15:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\puw4x2lb.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.6:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\puw4x2lb.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\WINDOWS\system32\winrkp32.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP33\A0038005.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rugyuifq.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).

::Report end

*****************************************************

panda log

Incident Status Location

Spyware:spyware/virtumonde Not disinfected c:\windows\system32\ssqpp.dll
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\David\Cookies\david@atdmt[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\David\Cookies\david@mediaplex[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David Wales\Cookies\david@serving-sys[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\David Wales\Cookies\david@stats1.reliablestats[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\David Wales\Cookies\david@winantivirus[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\David Wales\Cookies\david@www.winantivirus[1].txt
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\Uninst.exe
**********************************************************

HJT Log

ogfile of HijackThis v1.99.1
Scan saved at 15:37, on 06-11-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\PROGRA~1\McAfee\MSC\mcinfo.exe
C:\highjackthis\happy.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.mcafee.com/apps/vso/en-gb/...p?affid=370-21
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\uxliwckt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll
O2 - BHO: (no name) - {242A5537-631F-9060-FB37-0A8C162B8D5A} - C:\WINDOWS\system32\cmhditn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: (no name) - {845DE488-2B41-4A10-89CA-C5CBAF962BBC} - C:\WINDOWS\system32\ssqpp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\googletoolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\googletoolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\googletoolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\googletoolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\googletoolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\googletoolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C062FE27-5E27-443A-9A83-CCE515C41F29}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

tetonbob · 11-26-2006, 09:00 AM

Is your desktop back to normal?

bigbhoy77 · 11-26-2006, 09:19 AM

Quote:

Originally Posted by tetonbob

Is your desktop back to normal?

yes thanks

tetonbob · 11-26-2006, 09:26 AM

Ok, you still have infections present...please hang on whilst I devise a fix for you.

bigbhoy77 · 11-26-2006, 09:29 AM

Quote:

Originally Posted by tetonbob

Ok, you still have infections present...please hang on whilst I devise a fix for you.

OK thanks for taking the time out to help a complete noob like me

tetonbob · 11-26-2006, 09:55 AM

I'm working with the combofix author to try to assess the issue of it's stall.

What were the last words on combo's screen when it stalled? Were they:

Scanning for /wow

bigbhoy77 · 11-26-2006, 09:57 AM

Quote:

Originally Posted by tetonbob

I'm working with the combofix author to try to assess the issue of it's stall.

What were the last words on combo's screen when it stalled? Were they:

Scanning for /wow

yes

tetonbob · 11-26-2006, 10:07 AM

Thank you.

I shall return with some instructions for you as soon as I can.

11-24-2006, 09:23 AM	#1 (permalink)
bigbhoy77 Registered User Join Date: Aug 2006 Posts: 32 OS: XP home edition	Spyware Don't know if this is where i should post this problem apologies in advance if its the wrong section. I seem to have spyware on my comp i have tried various removal tools ie xoftspy, spybot, adaware, Trend Micro Anti-Spyware in safe-mode to no avail please can someone help get rid of this ?

11-25-2006, 12:09 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,197 OS: 2000 Pro; XP Pro; XP Home	Please download HijackThis to your desktop - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\ Double click on HijackThis.exe to run the program. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-25-2006, 12:35 PM	#4 (permalink)
bigbhoy77 Registered User Join Date: Aug 2006 Posts: 32 OS: XP home edition	ps hijackthis has removed the problem but my comp has been running weird since so could you tell me which one to delete so i can restore the rest thanks Last edited by bigbhoy77; 11-25-2006 at 12:40 PM.

11-25-2006, 02:42 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,197 OS: 2000 Pro; XP Pro; XP Home	HJT usage is best done under the supervision of trained Helpers. You must promise not to perform any more self-help fixes while we're working together, and only do exactly as instructed. There may be some lag time between replies, but we can get this issue resolved. If that log you posted is after you "fixed the lot", I'm not exactly sure what the issue might be causing the system to be "running weird". That said, you have several infections which are showing.....first, let's be sure we can see everything running. Open HJT and click on View the list of Backups. Check each item showing and then click Restore Click Yes. Reboot your system. Post a new HJT log __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-25-2006, 03:30 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,197 OS: 2000 Pro; XP Pro; XP Home	I'd like you to rename HijackThis.exe to happy.exe. Navigate to C:\highjackthis\HijackThis.exe Right click on HijackThis.exe Select 'Rename' Type in happy.exe Press Enter. Please post a new log with this renamed executable. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-25-2006, 04:07 PM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,197 OS: 2000 Pro; XP Pro; XP Home	OK, now we can see most of the junk that's clogging your system. This will take some time. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. --------------------------------------------------------------------------------------------- Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. --------------------------------------------------------------------------------------------- I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix. Run AVG Anti-Spyware From the main screen, click on update, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful") select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Exit AVG Anti-Spyware. DO NOT scan yet. --------------------------------------------------------------------------------------------- Download and install CleanUp! NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe We'll use this later. Download combofix.exe to your desktop. * IMPORTANT !!! Place it on your Desktop. We'll use this shortly. ------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file) O2 - BHO: (no name) - {2DB595B1-F9A8-470F-812E-532FE1829A25} - (no file) O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\888.dll O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\888.dll O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvloz.dll,startup O4 - HKLM\..\Run: [vvdkkpe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vvdkkpe.dll,agkxvbc O4 - HKLM\..\Run: [bqekkkf.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bqekkkf.dll,spnrzlb O20 - Winlogon Notify: mlljk - C:\WINDOWS\ O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\ Close HijackThis now. --------------------------------------------------------------------------------------------- Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK "%userprofile%\desktop\combofix.exe" /v winwea32 ssqpp mlljk bqekkkf vvdkkpe drvloz cmhditn vorenbj uxliwckt When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. --------------------------------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Toolbar 888 VS Add-in for Internet Explorer --------------------------------------------------------------------------------------------- Delete the following if they exist: C:\Program Files\VSAdd-in --------------------------------------------------------------------------------------------- Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. --------------------------------------------------------------------------------------------- Clean out your Temporary Internet files. Run Cleanup! using the following configuration: Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted. * CleanUp! will not create any backups!! --------------------------------------------------------------------------------------------- Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" or something similar Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. --------------------------------------------------------------------------------------------- Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. --------------------------------------------------------------------------------------------- Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. --------------------------------------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Run a new HijackThis scan. Save the log file and post it here. --------------------------------------------------------------------------------------------- Then post the following logs in your next reply... C:\ComboFix.txt C:\rapport.txt (log from the SmitfraudFix tool) AVG Anti-Spyware log Panda log Hijackthis log __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-26-2006, 04:31 AM	#10 (permalink)
bigbhoy77 Registered User Join Date: Aug 2006 Posts: 32 OS: XP home edition	"%userprofile%\desktop\combofix.exe" /v winwea32 ssqpp mlljk bqekkkf vvdkkpe drvloz cmhditn vorenbj uxliwckt was waiting on this to finish so i could post the log must have waited about 15mins then it just disappeared and now i have a blank desktop?

11-26-2006, 05:01 AM	#11 (permalink)
bigbhoy77 Registered User Join Date: Aug 2006 Posts: 32 OS: XP home edition	Toolbar 888 VS Add-in for Internet Explorer --------------------------------------------------------------------------------------------- Delete the following if they exist: C:\Program Files\VSAdd- dont have Toolbar 888 or C:Program Files\VSAdd- but have VS Add-in for Internet Explorer but wont let me romove for add/remove programs

11-26-2006, 05:17 AM	#12 (permalink)
bigbhoy77 Registered User Join Date: Aug 2006 Posts: 32 OS: XP home edition	Sorry couldn't get a log from Combofix *************************************************** SmitFraudFix v2.124 Scan done at 12:05:10.17, 06-11-26 Run from C:\Documents and Settings\David\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{0bad5052-665d-40d4-a9bd-a2891eaafb42}"="boucicault" [HKEY_CLASSES_ROOT\CLSID\{0bad5052-665d-40d4-a9bd-a2891eaafb42}\InProcServer32] @="C:\WINDOWS\system32\fmrmhc.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0bad5052-665d-40d4-a9bd-a2891eaafb42}\InProcServer32] @="C:\WINDOWS\system32\fmrmhc.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\system32\fmrmhc.dll -> Hoax.Win32.Renos.gen.i C:\WINDOWS\system32\fmrmhc.dll -> Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\ishost.exe Deleted C:\WINDOWS\system32\ismini.exe Deleted C:\WINDOWS\system32\components\flx?.dll Deleted C:\Program Files\Safety Bar\ Deleted C:\Program Files\Virus-Bursters\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. **************************************************** Last edited by bigbhoy77; 11-26-2006 at 05:45 AM.

11-26-2006, 08:31 AM	#13 (permalink)
bigbhoy77 Registered User Join Date: Aug 2006 Posts: 32 OS: XP home edition	AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 13:35 06-11-26 + Scan result: C:\Program Files\VSAdd-in\__delete_on_reboot__V_S_A_d_d_-_i_n_._d_l_l_ -> Adware.Agent : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP37\A0038573.dll -> Adware.Agent : Cleaned with backup (quarantined). C:\Documents and Settings\David\Desktop\Unused Desktop Shortcuts\setup.exe -> Adware.Dudu : Cleaned with backup (quarantined). HKU\S-1-5-21-1955736025-1686106311-2215792801-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP37\A0038424.dll -> Adware.Searchcolor : Cleaned with backup (quarantined). C:\WINDOWS\system32\kurttpfc.exe -> Adware.Searchcolor : Cleaned with backup (quarantined). C:\WINDOWS\system32\quougvpx.exe -> Adware.Searchcolor : Cleaned with backup (quarantined). C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\MyToolBar.dll -> Adware.Softomate : Cleaned with backup (quarantined). C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\Uninstall.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\Program Files\Common Files\{E4F9BF1A-0710-2057-0121-06101905002c}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\Program Files\Common Files\{E4F9BF1A-0710-2057-0121-06101905002c}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP35\A0038262.dll -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP36\A0038342.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP37\A0038382.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP37\A0038408.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP39\A0038760.dll -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP39\A0038761.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\WINDOWS\system32\khfgdba.dll -> Adware.Virtumonde : Cleaned with backup (quarantined). C:\Program Files\Common Files\Yazzle1162OinAdmin.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP1\A0000087.exe -> Downloader.Zlob : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP1\A0000088.exe -> Downloader.Zlob : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP39\A0038895.dll -> Downloader.Zlob : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP36\A0038341.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined). :mozilla.14:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\puw4x2lb.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.15:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\puw4x2lb.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.6:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\puw4x2lb.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. C:\WINDOWS\system32\winrkp32.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined). C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}\RP33\A0038005.dll -> Trojan.BHO.g : Cleaned with backup (quarantined). C:\WINDOWS\system32\rugyuifq.dll -> Trojan.BHO.g : Cleaned with backup (quarantined). ::Report end *************************************************** panda log Incident Status Location Spyware:spyware/virtumonde Not disinfected c:\windows\system32\ssqpp.dll Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\David\Cookies\david@atdmt[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\David\Cookies\david@mediaplex[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David Wales\Cookies\david@serving-sys[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\David Wales\Cookies\david@stats1.reliablestats[1].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\David Wales\Cookies\david@winantivirus[1].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\David Wales\Cookies\david@www.winantivirus[1].txt Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{34F9BF1A-0710-2057-0121-06101905002c}\Uninst.exe ******************************************************** HJT Log ogfile of HijackThis v1.99.1 Scan saved at 15:37, on 06-11-26 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\zHotkey.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\McAfee\MSC\mclogsrv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe C:\Program Files\Trend Micro\Tmas\Tmas.exe C:\PROGRA~1\McAfee\MSC\mctskshd.exe C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Spyware Doctor\sdhelp.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\AOL 9.0\waol.exe C:\Program Files\AOL 9.0\shellmon.exe C:\Program Files\Common Files\AOL\aoltpspd.exe C:\PROGRA~1\McAfee\MSC\mcinfo.exe C:\highjackthis\happy.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.mcafee.com/apps/vso/en-gb/...p?affid=370-21 R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\uxliwckt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll O2 - BHO: (no name) - {242A5537-631F-9060-FB37-0A8C162B8D5A} - C:\WINDOWS\system32\cmhditn.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: (no name) - {845DE488-2B41-4A10-89CA-C5CBAF962BBC} - C:\WINDOWS\system32\ssqpp.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\googletoolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\googletoolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\googletoolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\googletoolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\googletoolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\googletoolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C062FE27-5E27-443A-9A83-CCE515C41F29}: NameServer = 205.188.146.145 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing) O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe Last edited by bigbhoy77; 11-26-2006 at 08:38 AM.

11-26-2006, 09:00 AM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,197 OS: 2000 Pro; XP Pro; XP Home	Is your desktop back to normal? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-26-2006, 09:26 AM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,197 OS: 2000 Pro; XP Pro; XP Home	Ok, you still have infections present...please hang on whilst I devise a fix for you. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-26-2006, 09:55 AM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,197 OS: 2000 Pro; XP Pro; XP Home	I'm working with the combofix author to try to assess the issue of it's stall. What were the last words on combo's screen when it stalled? Were they: Scanning for /wow __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-26-2006, 10:07 AM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,197 OS: 2000 Pro; XP Pro; XP Home	Thank you. I shall return with some instructions for you as soon as I can. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009