Tech Support banner
Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
I was recently infected by Bo: Heap and Trojan.inject.au despite continous protection from mcafee, zonealarm, spyware blaster. I believed I have removed most of the issue as my computer has returned to normal operating speed and the error messages have stopped. I have run multiple anti-virus, spyware scans from multiple softwares on fresh boots to safe mode. The only issue that still remains, (well the only one visible to me) is the popups in internet explorer despite pop-up blocker being enable. I am running winXP SP2 and IE7. Log to follow.

Logfile of HijackThis v1.99.1
Scan saved at 4:30:19 PM, on 1/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Universal Shield 4.0\US30Service.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\regprot\regprot.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brought to you by Scottie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - (no file)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8 - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296D - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {00000000-0008-5041-4354-0020e48020af} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Alive Text to Speech - {954F618B-0DEC-4D1A-9317-E0FC96F87865} - C:\PROGRA~1\ALIVEM~1\TEXTTO~1\IETOOL~1.DLL
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "c:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [32 admin] C:\DOCUME~1\Scottie\APPLIC~1\thatdeaf\debugburnsoft.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download With Super Downloader - C:\WINDOWS\system32\DAP_32.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-c.mhi.aol.com/netagent/objects/custappx2.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145401312953
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned35.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B954E5CF-57C9-4719-AED8-0D65BCE86BFC} - http://www.viewbuild.com/activex/viewbuildonline.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol126.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45413200-F1D7-4C2C-9971-9675D6A517D6}: NameServer = 192.168.1.254
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-mem3 - {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - C:\WINDOWS\system32\eztoolslib2.dll
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.0\US30Service.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

This is but Round 1....it may take several posts, and a few different tools to complete this fix. Please see this fix through to completion. Do not mistake a lack of symptoms for a completely clean machine.

---------------------------------------------------------------------------------------------

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3

We'll use this shortly.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - (no file)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8 - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296D - (no file)
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O3 - Toolbar: (no name) - {00000000-0008-5041-4354-0020e48020af} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKCU\..\Run: [32 admin] C:\DOCUME~1\Scottie\APPLIC~1\thatdeaf\debugburnsoft.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/i...ncherSetup.cab


Close HijackThis now.

---------------------------------------------------------------------------------------------


  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it.
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

C:\Documents and Settings\Scottie\Application Data\thatdeaf

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------------------------------------------------------------------------------------

Download fl.zip
Extract the contents to a new folder on your Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

---------------------------------------------------------------------------------------------

Please Post the contents of C:\NoLop.log along with a fresh HijackThis log, the report from fl.bat at C:\findlop.txt, and the results from Panda online scan.
 

·
Registered
Joined
·
3 Posts
Discussion Starter · #3 ·
Thanks so much for the help. Sorry for the delay, but here are the results. I've followed every step to the T.

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Scottie\Desktop
[1/20/2007]
[4:44:10 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator.sdholden1\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Ati Mmc
C:\Documents and Settings\All Users\Application Data\Autodesk
C:\Documents and Settings\All Users\Application Data\Avanquest Software
C:\Documents and Settings\All Users\Application Data\Bvrp Software
C:\Documents and Settings\All Users\Application Data\Fellowes
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Gtek
C:\Documents and Settings\All Users\Application Data\Hewlett-packard
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Kazaa
C:\Documents and Settings\All Users\Application Data\Macromedia
C:\Documents and Settings\All Users\Application Data\Macrovision
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Motive -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Motivesysids
C:\Documents and Settings\All Users\Application Data\Napster
C:\Documents and Settings\All Users\Application Data\Nero
C:\Documents and Settings\All Users\Application Data\Network Associates
C:\Documents and Settings\All Users\Application Data\Nfs Underground
C:\Documents and Settings\All Users\Application Data\Noun Bleh Dale Rect
C:\Documents and Settings\All Users\Application Data\Popcap
C:\Documents and Settings\All Users\Application Data\Preemptive Solutions
C:\Documents and Settings\All Users\Application Data\Pure Networks
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Real -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Support.com
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Bytemobile
C:\Documents and Settings\Localservice\Application Data\Kinko's
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Logmeinremoteuser\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Bytemobile
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Scottie\Application Data\.bittornado
C:\Documents and Settings\Scottie\Application Data\Acccore
C:\Documents and Settings\Scottie\Application Data\Acoustica
C:\Documents and Settings\Scottie\Application Data\Adobe
C:\Documents and Settings\Scottie\Application Data\Adobeaum
C:\Documents and Settings\Scottie\Application Data\Adobeum
C:\Documents and Settings\Scottie\Application Data\Ahead
C:\Documents and Settings\Scottie\Application Data\Aim
C:\Documents and Settings\Scottie\Application Data\Alien Skin
C:\Documents and Settings\Scottie\Application Data\Aol
C:\Documents and Settings\Scottie\Application Data\Apple Computer
C:\Documents and Settings\Scottie\Application Data\Ati
C:\Documents and Settings\Scottie\Application Data\Azureus
C:\Documents and Settings\Scottie\Application Data\Cingular
C:\Documents and Settings\Scottie\Application Data\Common Files
C:\Documents and Settings\Scottie\Application Data\Corel
C:\Documents and Settings\Scottie\Application Data\Creative
C:\Documents and Settings\Scottie\Application Data\Cyberscrub
C:\Documents and Settings\Scottie\Application Data\Divx
C:\Documents and Settings\Scottie\Application Data\Dogjoy -- EMPTY Directory
C:\Documents and Settings\Scottie\Application Data\Downloaded Installations
C:\Documents and Settings\Scottie\Application Data\Google
C:\Documents and Settings\Scottie\Application Data\Gtek
C:\Documents and Settings\Scottie\Application Data\Help
C:\Documents and Settings\Scottie\Application Data\Hp
C:\Documents and Settings\Scottie\Application Data\Icq
C:\Documents and Settings\Scottie\Application Data\Intervideo
C:\Documents and Settings\Scottie\Application Data\Kazaa Lite
C:\Documents and Settings\Scottie\Application Data\Kinko's
C:\Documents and Settings\Scottie\Application Data\Leadertech
C:\Documents and Settings\Scottie\Application Data\Macromedia
C:\Documents and Settings\Scottie\Application Data\Media Player Classic
C:\Documents and Settings\Scottie\Application Data\Microsoft
C:\Documents and Settings\Scottie\Application Data\Mozilla
C:\Documents and Settings\Scottie\Application Data\Nch Swift Sound
C:\Documents and Settings\Scottie\Application Data\Nerodctemplates
C:\Documents and Settings\Scottie\Application Data\Netpumper
C:\Documents and Settings\Scottie\Application Data\Opera -- EMPTY Directory
C:\Documents and Settings\Scottie\Application Data\Real
C:\Documents and Settings\Scottie\Application Data\Roxio
C:\Documents and Settings\Scottie\Application Data\Safe Folder -- EMPTY Directory
C:\Documents and Settings\Scottie\Application Data\Slysoft
C:\Documents and Settings\Scottie\Application Data\Smartftp
C:\Documents and Settings\Scottie\Application Data\Sun
C:\Documents and Settings\Scottie\Application Data\Symantec
C:\Documents and Settings\Scottie\Application Data\Talkback
C:\Documents and Settings\Scottie\Application Data\The Labyrinth Plus! Edition
C:\Documents and Settings\Scottie\Application Data\Tunebite
C:\Documents and Settings\Scottie\Application Data\U3
C:\Documents and Settings\Scottie\Application Data\X-chat 2
C:\Documents and Settings\Scottie\Application Data\Yahoo!

________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 6:09:01 PM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Universal Shield 4.0\US30Service.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Network Associates\VirusScan\MCUPDATE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brought to you by Scottie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: run=C:\WINDOWS\scvhost.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Alive Text to Speech - {954F618B-0DEC-4D1A-9317-E0FC96F87865} - C:\PROGRA~1\ALIVEM~1\TEXTTO~1\IETOOL~1.DLL
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "c:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:eek:s_startup
O4 - HKLM\..\Run: [] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\RunServices: [] C:\WINDOWS\scvhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download With Super Downloader - C:\WINDOWS\system32\DAP_32.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-c.mhi.aol.com/netagent/objects/custappx2.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145401312953
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned35.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B954E5CF-57C9-4719-AED8-0D65BCE86BFC} - http://www.viewbuild.com/activex/viewbuildonline.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol126.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45413200-F1D7-4C2C-9971-9675D6A517D6}: NameServer = 192.168.1.254
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-mem3 - {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - C:\WINDOWS\system32\eztoolslib2.dll
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.0\US30Service.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

_____________________________________________


Volume in drive C is DSK3_VOL1
Volume Serial Number is CB2E-7BC0

Directory of C:\Documents and Settings\All Users\Application Data

11/30/2006 02:16 AM <DIR> Adobe
06/07/2006 04:47 PM <DIR> Adobe Systems
11/12/2006 08:34 PM <DIR> AOL
11/12/2006 08:32 PM <DIR> AOL Downloads
09/25/2006 05:58 PM <DIR> Apple Computer
10/07/2005 04:17 PM <DIR> ATI MMC
10/07/2005 04:17 PM <DIR> Autodesk
05/03/2006 05:34 PM <DIR> Avanquest Software
05/03/2006 05:43 PM <DIR> BVRP Software
10/07/2005 04:18 PM <DIR> Fellowes
08/23/2006 08:39 AM <DIR> Google
11/16/2006 11:05 AM <DIR> Hewlett-Packard
10/07/2005 04:18 PM <DIR> HP
11/16/2006 11:11 AM 38,886 hpzinstall.log
05/04/2006 02:37 PM <DIR> InstallShield
10/07/2005 04:18 PM <DIR> Kazaa
10/07/2005 04:18 PM <DIR> Macromedia
10/07/2005 04:18 PM <DIR> Macrovision
12/21/2006 04:19 PM <DIR> Microsoft Help
04/10/2006 12:51 PM <DIR> Motive
04/10/2006 01:32 PM <DIR> MotiveSysIDs
12/19/2005 05:54 PM <DIR> Napster
01/19/2007 07:05 PM <DIR> Nero
10/07/2005 04:19 PM <DIR> Network Associates
10/07/2005 04:19 PM <DIR> NFS Underground
01/19/2007 04:13 AM <DIR> noun bleh dale rect
10/07/2005 04:19 PM <DIR> PopCap
04/25/2006 09:32 AM <DIR> PreEmptive Solutions
10/07/2005 04:19 PM <DIR> Pure Networks
10/07/2005 04:19 PM <DIR> QuickTime
01/19/2007 11:32 AM <DIR> Real
04/14/2006 02:00 AM <DIR> Spybot - Search & Destroy
10/07/2005 04:20 PM <DIR> Support.com
10/07/2005 04:20 PM <DIR> Symantec
12/21/2006 04:12 PM <DIR> Viewpoint
04/10/2006 10:41 PM <DIR> Windows Genuine Advantage
11/02/2006 06:14 AM <DIR> yahoo!
11/02/2006 06:16 AM <DIR> Yahoo! Companion
1 File(s) 38,886 bytes
37 Dir(s) 138,580,418,560 bytes free
Volume in drive C is DSK3_VOL1
Volume Serial Number is CB2E-7BC0

Directory of C:\Documents and Settings\LogMeInRemoteUser\Application Data

Volume in drive C is DSK3_VOL1
Volume Serial Number is CB2E-7BC0

Directory of C:\Documents and Settings\Scottie\Application Data

10/07/2005 04:21 PM <DIR> .BitTornado
04/14/2006 04:25 PM 0 .googlewebacchosts
11/12/2006 08:36 PM <DIR> acccore
10/07/2005 04:21 PM <DIR> Acoustica
01/15/2007 03:35 PM <DIR> Adobe
10/07/2005 04:21 PM <DIR> AdobeAUM
12/17/2006 02:48 PM <DIR> AdobeUM
01/19/2007 07:12 PM <DIR> Ahead
10/07/2005 04:21 PM <DIR> Aim
01/15/2007 11:17 PM <DIR> Alien Skin
10/07/2005 04:21 PM <DIR> AOL
09/25/2006 06:00 PM <DIR> Apple Computer
05/03/2006 05:06 PM <DIR> ATI
01/21/2007 03:15 PM <DIR> Azureus
10/07/2005 04:21 PM <DIR> Cingular
10/07/2005 04:21 PM <DIR> Common Files
10/09/2005 10:04 PM <DIR> Corel
10/10/2005 02:11 PM <DIR> Creative
06/03/2006 05:20 PM <DIR> CyberScrub
07/09/2006 06:23 PM 1,904 D - HP - DVD Writer 840b - HJ86.dat
12/27/2004 04:02 PM 1,882 D - LITE-ON - COMBO LTC-48161H - KH0N.dat
01/15/2007 11:49 AM <DIR> DivX
01/12/2004 02:10 AM 0 dm.ini
01/17/2007 05:25 PM <DIR> dogjoy
05/04/2006 02:35 PM <DIR> Downloaded Installations
07/09/2006 06:23 PM 1,882 E - LITE-ON - COMBO LTC-48161H - KH0N.dat
04/19/2006 09:55 AM 1,613 G - AXV - CD-DVD-ROM - 2.2a.dat
07/09/2006 06:23 PM 1,614 G - FU0071X - MGE252V - 2.0B.dat
05/18/2005 08:04 PM 123,064 GDIPFONTCACHEV1.DAT
08/25/2006 03:46 PM <DIR> Google
10/07/2005 04:21 PM <DIR> Help
10/07/2005 04:21 PM <DIR> HP
10/07/2005 04:21 PM <DIR> ICQ
10/09/2005 10:04 PM <DIR> InterVideo
10/07/2005 04:21 PM <DIR> Kazaa Lite
05/04/2006 02:40 PM <DIR> Kinko's
10/07/2005 04:21 PM <DIR> Leadertech
10/07/2005 04:21 PM <DIR> Macromedia
01/19/2007 11:59 AM <DIR> Media Player Classic
11/12/2006 08:32 PM <DIR> Mozilla
09/22/2006 03:25 PM <DIR> NCH Swift Sound
12/07/2006 06:41 PM <DIR> NeroDCTemplates
01/15/2007 03:30 PM <DIR> NetPumper
03/20/2006 04:09 PM <DIR> Opera
01/19/2007 11:09 AM <DIR> Real
10/07/2005 04:22 PM <DIR> Roxio
06/06/2006 11:10 AM <DIR> Safe Folder
11/13/2006 03:38 PM <DIR> SlySoft
10/09/2005 10:04 PM <DIR> SmartFTP
10/07/2005 04:22 PM <DIR> Sun
10/07/2005 04:22 PM <DIR> Symantec
04/14/2006 03:54 PM <DIR> Talkback
10/07/2005 04:22 PM <DIR> The Labyrinth Plus! Edition
12/17/2006 02:48 PM <DIR> tunebite
12/16/2006 04:46 PM <DIR> U3
10/02/2006 09:19 PM 1,024 WavCodec.wff
04/12/2006 06:07 PM <DIR> X-Chat 2
9 File(s) 132,983 bytes
48 Dir(s) 138,580,414,464 bytes free
Volume in drive C is DSK3_VOL1
Volume Serial Number is CB2E-7BC0

Directory of C:\Documents and Settings\Default User\Application Data

10/07/2005 04:21 PM <DIR> .
10/07/2005 04:21 PM <DIR> ..
03/22/2004 12:36 AM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 138,580,414,464 bytes free
Volume in drive C is DSK3_VOL1
Volume Serial Number is CB2E-7BC0

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C is DSK3_VOL1
Volume Serial Number is CB2E-7BC0

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AppleSoftwareUpdate.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Apple Software Update\SoftwareUpdate.exe'
Parameters: '-Task'
WorkingDirectory: ''
Comment: ''
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 01/16/2007 8:52:00
NextRun: 01/23/2007 8:52:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: ..T....
StartDate: 09/25/2006
EndDate: 00/00/0000
StartTime: 08:52
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


__________________________________________


Incident Status Location

Spyware:spyware/whazit Not disinfected c:\windows\system32\cards.ico
Adware:adware/exact.bargainbuddy Not disinfected c:\windows\system32\mset_bbi8010.exe
Adware:adware/ist.istbar Not disinfected Windows Registry
Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Adware:adware/sidesearch Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/searchresults Not disinfected Windows Registry
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2b93cb1f-5f895cee.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2b93cb1f-5f895cee.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2b93cb1f-5f895cee.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2b93cb1f-5f895cee.zip[NewURLClassLoader.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-6ab41e9f.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-6ab41e9f.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-6ab41e9f.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-6ab41e9f.zip[NewURLClassLoader.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-840b0af-4c0afc4f.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-840b0af-4c0afc4f.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-840b0af-4c0afc4f.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-840b0af-4c0afc4f.zip[NewURLClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-12cdc751-1e16b691.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-12cdc751-1e16b691.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-12cdc751-1e16b691.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-12cdc751-1e16b691.zip[Parser.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-1d04a75a-6cfbe264.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-1d04a75a-6cfbe264.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-1d04a75a-6cfbe264.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-1d04a75a-6cfbe264.zip[Parser.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv644.jar-253e0c73-1d5ed180.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv644.jar-253e0c73-1d5ed180.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv644.jar-253e0c73-1d5ed180.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Scottie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv644.jar-253e0c73-1d5ed180.zip[Parser.class]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Scottie\Cookies\[email protected][2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Scottie\Cookies\[email protected][1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Scottie\Cookies\[email protected][1].txt
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Scottie\Local Settings\Temp\bis68.exe
Adware:Adware/Lop
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

A new infection entry has appeared in your log. Please curtail your internet usage until this system is clean. Disconnect it from any router/modem while not in use for these cleaning instructions.

---------------------------------------------------------------------------------------------

I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run AVG Anti-Spyware
  • From the main screen, click on update, then click the Start
    update
    button.
  • After the update finishes (the status bar at the bottom will display "Update
    successful")
  • select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • Exit AVG Anti-Spyware. DO NOT scan yet.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only We'll use this shortly.

Download combofix.exe to your desktop. We'll use this shortly.

---------------------------------------------------------------------------------------------

Disconnect from the internet. Pull the plug!

---------------------------------------------------------------------------------------------


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

F3 - REG:win.ini: run=C:\WINDOWS\scvhost.exe
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\RunServices: [] C:\WINDOWS\scvhost.exe


Close HijackThis now.

---------------------------------------------------------------------------------------------

Run ComboFix

  1. Double click on combofix.exe & follow the prompts.
  2. When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

REGEDIT4

[-hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch]

[-hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}]

[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM]
Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:


Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked

    • Downloaded Applets
      Downloaded Applications
      Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following (if they exist):

C:\Documents and Settings\All Users\Application Data\Noun Bleh Dale Rect
C:\Documents and Settings\Scottie\Application Data\Dogjoy
C:\WINDOWS\scvhost.exe
c:\windows\system32\cards.ico
c:\windows\system32\mset_bbi8010.exe


---------------------------------------------------------------------------------------------


  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Reconnect your machine to the internet.

---------------------------------------------------------------------------------------------

Download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.php#adaware for better scan results. Run the scan and fix everything that it finds.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan using Internet Explorer at http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        [*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save Report As button.
  • Select txt file from the dropdown menu, to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

combofix (C:\ComboFix.txt)
AVG Anti-Spyware
kaspersky online scan
HJT
 

·
Registered
Joined
·
3 Posts
Discussion Starter · #5 ·
Thanks again for your assistance. I was unable to run the kapersky online scan for some reason. The activex control didn't seem to be functioning properly whether from their end or my system. I did however download the trial version of their virus scan and it found nothing. Here are the other requested logs.

"Scottie" - 07-01-22 14:11:13 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\Scottie\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\scripts.ini
C:\WINDOWS\system32\SVKP.sys
C:\setup.exe


((((((((((((((((((((((((((((((( Files Created from 2006-12-22 to 2007-01-22 ))))))))))))))))))))))))))))))))))


2007-01-20 16:44 106 --a------ C:\delete.bat
2007-01-19 19:07 <DIR> d-------- C:\DOCUME~1\Scottie\Application Data\Ahead
2007-01-19 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Nero
2007-01-19 18:29 0 --a------ C:\prwj.exe
2007-01-19 18:29 0 --a------ C:\nmuxxyvs.exe
2007-01-19 18:29 0 --a------ C:\mcsbyu.exe
2007-01-19 18:29 0 --a------ C:\klhtmn.exe
2007-01-19 18:29 0 --a------ C:\jnxxfy.exe
2007-01-19 18:29 0 --a------ C:\ejtbhe.exe
2007-01-19 18:29 0 --a------ C:\cfrm.exe
2007-01-19 18:29 0 --a------ C:\batjy.exe
2007-01-19 11:59 <DIR> d-------- C:\DOCUME~1\Scottie\Application Data\Media Player Classic
2007-01-19 11:32 568,850 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-01-19 11:32 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-01-19 11:32 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll
2007-01-19 11:32 157,696 --a------ C:\WINDOWS\system32\unrar.dll
2007-01-19 11:32 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll
2007-01-19 11:32 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-01-19 11:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Real
2007-01-19 03:10 <DIR> d-------- C:\Program Files\Common Files\Agnitum Shared
2007-01-19 03:10 <DIR> d-------- C:\Program Files\Agnitum
2007-01-18 16:26 <DIR> d-------- C:\HJT
2007-01-17 16:46 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-17 16:13 11,504 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-01-17 11:03 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-01-17 02:01 <DIR> d-------- C:\DOCUME~1\Scottie\Application Data\dogjoy
2007-01-16 23:38 <DIR> d-------- C:\Program Files\Grisoft
2007-01-16 23:36 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-16 23:27 <DIR> d-------- C:\fixwareout
2007-01-16 19:15 <DIR> d-------- C:\Program Files\Microsoft Games
2007-01-15 15:29 <DIR> d-------- C:\Program Files\NetPumper
2007-01-15 15:29 <DIR> d-------- C:\DOCUME~1\Scottie\Application Data\NetPumper
2007-01-15 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\noun bleh dale rect
2007-01-15 11:49 <DIR> d-------- C:\DOCUME~1\Scottie\Application Data\DivX
2007-01-15 11:45 20,640 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-01-15 11:45 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-15 11:45 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-15 11:43 856,064 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-01-15 11:43 217,088 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-01-15 11:43 <DIR> d-------- C:\Program Files\Xvid
2007-01-14 16:05 13,040 --a------ C:\WINDOWS\system32\LMIport.dll
2007-01-14 16:04 <DIR> d-------- C:\Program Files\LogMeIn
2006-12-30 17:06 <DIR> d-------- C:\Program Files\Common Files\Ahead


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-21 15:15 -------- d-------- C:\DOCUME~1\Scottie\Application Data\azureus
2007-01-20 18:04 -------- d-------- C:\Program Files\smartftp
2007-01-20 18:04 -------- d-------- C:\Program Files\quicktime
2007-01-20 18:00 -------- d-------- C:\Program Files\motherboard monitor 5
2007-01-20 17:32 -------- d-------- C:\Program Files\google
2007-01-20 17:25 -------- d-------- C:\Program Files\Common Files\lightscribe
2007-01-20 17:25 -------- d-------- C:\Program Files\Common Files\aolshare
2007-01-19 11:10 -------- d-------- C:\Program Files\Common Files\real
2007-01-19 11:09 -------- d-------- C:\DOCUME~1\Scottie\Application Data\real
2007-01-18 16:07 -------- d-------- C:\Program Files\spywareblaster
2007-01-17 11:03 -------- d--h----- C:\Program Files\installshield installation information
2007-01-17 10:49 -------- d---s---- C:\DOCUME~1\Scottie\Application Data\microsoft
2007-01-16 23:43 -------- d-------- C:\Program Files\cyberscrub privacy suite
2007-01-16 17:12 -------- d-------- C:\Program Files\apple software update
2007-01-16 16:32 -------- d-------- C:\Program Files\azureus
2007-01-15 23:17 -------- d-------- C:\DOCUME~1\Scottie\Application Data\alien skin
2007-01-15 15:35 -------- d-------- C:\DOCUME~1\Scottie\Application Data\adobe
2007-01-15 11:45 -------- d-------- C:\Program Files\divx
2007-01-04 16:45 -------- d-------- C:\Program Files\bodog poker
2007-01-02 13:25 -------- d-------- C:\Program Files\mightyfax
2006-12-30 20:14 -------- d-------- C:\Program Files\windows live safety center
2006-12-30 17:06 -------- d-------- C:\Program Files\nero
2006-12-23 22:57 -------- d-------- C:\Program Files\tunebite
2006-12-21 16:34 -------- d-------- C:\Program Files\bitcomet
2006-12-21 16:23 -------- d-------- C:\Program Files\java
2006-12-21 16:17 -------- d-------- C:\Program Files\microsoft visual studio .net 2003
2006-12-21 16:12 -------- d-------- C:\Program Files\viewpoint
2006-12-21 16:11 -------- d-------- C:\Program Files\acoustica cd label maker
2006-12-17 16:00 -------- d-------- C:\Program Files\syncfolder
2006-12-17 14:48 -------- d-------- C:\DOCUME~1\Scottie\Application Data\tunebite
2006-12-17 14:48 -------- d-------- C:\DOCUME~1\Scottie\Application Data\adobeum
2006-12-16 16:46 -------- d-------- C:\DOCUME~1\Scottie\Application Data\u3
2006-12-12 10:30 520192 --a------ C:\WINDOWS\system32\divxsm.exe
2006-12-12 10:30 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-12 10:30 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-12 10:30 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-12 10:25 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-12-12 10:25 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-12-12 10:25 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-12-12 10:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-12 10:25 635486 --a------ C:\WINDOWS\system32\divx.dll
2006-12-12 10:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2006-12-12 10:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-12-12 10:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2006-12-12 10:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-12-12 10:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-12-12 10:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-12-12 10:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-12 10:24 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll
2006-12-12 10:24 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2006-12-11 18:32 -------- d-------- C:\Program Files\windows media connect 2
2006-12-08 16:07 -------- d-------- C:\Program Files\napster
2006-12-07 18:41 -------- d-------- C:\DOCUME~1\Scottie\Application Data\nerodctemplates
2006-12-01 19:17 -------- d-------- C:\Program Files\tagclinic43
2006-11-30 15:37 -------- d-------- C:\Program Files\motorola phone tools
2006-11-30 15:36 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2006-11-29 18:24 -------- d-------- C:\Program Files\motokit
2006-11-29 16:51 -------- d-------- C:\Program Files\griffin composites
2006-11-29 16:43 -------- d-------- C:\Program Files\digital image world
2006-11-29 14:53 -------- d-------- C:\Program Files\witeye
2006-11-26 22:53 -------- d-------- C:\Program Files\alien skin
2006-11-20 02:42 33280 --a------ C:\WINDOWS\system32\snmp.exe
2006-11-11 22:22 40 ---hs---- C:\DOCUME~1\Scottie\Application Data\.zreglib
2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 20:25 1321744 --a------ C:\WINDOWS\system32\msxml6.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-02 21:19 1024 --a------ C:\DOCUME~1\Scottie\Application Data\wavcodec.wff


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\not active]
"RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"RegProt"="c:\\regprot\\regprot.exe /start"
"MBM 5"="\"C:\\Program Files\\Motherboard Monitor 5\\MBM5.EXE\""
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"HP Software Update"="\"c:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"c:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"LogMeIn GUI"="\"C:\\Program Files\\LogMeIn\\LogMeInSystray.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Outpost Firewall"="\"C:\\Program Files\\Agnitum\\Outpost Firewall\\outpost.exe\" /waitservice"
"OutpostFeedBack"="C:\\Program Files\\Agnitum\\Outpost Firewall\\feedback.exe /dump:eek:s_startup"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@="C:\\WINDOWS\\scvhost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
"backup"="C:\\WINDOWS\\pss\\BTTray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WIDCOMM\\BLUETO~1\\BTTray.exe "
"item"="BTTray"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MightyFAX Controller.lnk]
"backup"="C:\\WINDOWS\\pss\\MightyFAX Controller.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MIGHTY~1\\MFNTCTL.EXE "
"item"="MightyFAX Controller"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Scottie^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Scottie^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTDVDDet"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDet.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTSysVol"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1098384161\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LClock"
"hkey"="HKLM"
"command"="C:\\Program Files\\LClock\\LClock.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msbb"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ChkColor"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SBDrvDet"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SM1BG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SM1BG.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tunebite"
"hkey"="HKCU"
"command"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UnlockerAssistant"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\" -H"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe\" AcPro7_0_7"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StarWindService"=dword:00000002
"C-DillaCdaC11BA"=dword:00000002
"btwdins"=dword:00000002
"Ati HotKey Poller"=dword:00000002
"AOL TopSpeedMonitor"=dword:00000002
"AOL ACS"=dword:00000002
"AdobeVersionCue"=dword:00000003
"Adobe LM Service"=dword:00000003
"NBService"=dword:00000003
"SoundMAX Agent Service (default)"=dword:00000002
"iPod Service"=dword:00000003
"ATI Smart"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
Shell\AutoRun\command G:\dvdcheck.exe



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070122-141017-340
O4 - HKLM\..\Run: [] C:\WINDOWS\scvhost.exe
backup-20070122-141017-560
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
backup-20070122-141017-735
O4 - HKLM\..\RunServices: [] C:\WINDOWS\scvhost.exe
backup-20070122-141017-705
F3 - REG:win.ini: run=C:\WINDOWS\scvhost.exe
backup-20070120-164030-256
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
backup-20070120-164029-586
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
backup-20070120-164029-104
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
backup-20070120-164029-921
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
backup-20070120-164029-335
O3 - Toolbar: (no name) - {00000000-0008-5041-4354-0020e48020af} - (no file)
backup-20070120-164029-539
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
backup-20070120-164029-844
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
backup-20070120-164029-598
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
backup-20070120-164029-870
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
backup-20070120-164029-404
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4 - (no file)
backup-20070120-164029-671
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
backup-20070120-164029-497
O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - (no file)
backup-20070120-164029-705
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8 - (no file)
backup-20070120-164029-519
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296D - (no file)
backup-20070120-164029-654
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070120-164029-737
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-22 14:16:25





---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:15:23 PM 1/22/2007

+ Scan result:



C:\Documents and Settings\Scottie\Desktop\nero_7_keygen.exe -> Downloader.Small.edb : Cleaned with backup (quarantined).


::Report end




Logfile of HijackThis v1.99.1
Scan saved at 10:12:26 AM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Universal Shield 4.0\US30Service.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\regprot\regprot.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brought to you by Scottie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Alive Text to Speech - {954F618B-0DEC-4D1A-9317-E0FC96F87865} - C:\PROGRA~1\ALIVEM~1\TEXTTO~1\IETOOL~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "c:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:eek:s_startup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download With Super Downloader - C:\WINDOWS\system32\DAP_32.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-c.mhi.aol.com/netagent/objects/custappx2.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145401312953
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned35.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B954E5CF-57C9-4719-AED8-0D65BCE86BFC} - http://www.viewbuild.com/activex/viewbuildonline.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol126.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45413200-F1D7-4C2C-9971-9675D6A517D6}: NameServer = 192.168.1.254
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-mem3 - {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - C:\WINDOWS\system32\eztoolslib2.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.0\US30Service.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
We're not quite done yet.

Be wary of codec upgrades and certainly keygens. They are often infected.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""
Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:


Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

C:\prwj.exe
C:\nmuxxyvs.exe
C:\mcsbyu.exe
C:\klhtmn.exe
C:\jnxxfy.exe
C:\ejtbhe.exe
C:\cfrm.exe
C:\batjy.exe
C:\Documents and Settings\All Users\Application Data\Noun Bleh Dale Rect<<<This folder is associated with the LOP infection, and combofix shows it still present. It must be deleted..
C:\Documents and Settings\Scottie\Application Data\Dogjoy<<<This folder is associated with the LOP infection, and combofix shows it still present. It must be deleted.


---------------------------------------------------------------------------------------------

Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Leave the scanning options at default and press "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and post it in your next reply.


---------------------------------------------------------------------------------------------

Please download this tool > http://www.kztechs.com/sreng/sreng2.zip

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it. You may have to rename SREngLOG.log to SREngLOG.txt to upload it.

---------------------------------------------------------------------------------------------


Post results from:

BitDefender online scan
SREng.txt (attached)


Kaspersky trial is a good tool to have onboard after a bot infection. Update is frequently, and run several scans over the next few days, to make sure all is well.

How is your system behaving?
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top