Jump to content


Photo

Smitfraud and Pop-Ups


  • This topic is locked This topic is locked
7 replies to this topic

#1 Tabbs

Tabbs

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 02 June 2007 - 12:52 AM

I use Firefox but IE pops up randomly with websites. I can't get rid of this using Spybot, AdAware, or SpySweeper.

Here is my logfile. Please help. Thank you


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:26:58 AM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis_v2.zip\HiJackThis_v2.exe

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {0A93E382-DC34-41BE-913B-CF84EA578437} - C:\WINDOWS\system32\awvvu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: hsnBar BHO - {57ECFB51-CD00-4b9d-961A-704E762AC529} - C:\Program Files\HSN\bar\2.bin\HSNBAR.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - blank (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C20A6B6C-F68A-865E-DD09-FEADDEBC72E7} - C:\WINDOWS\system32\rddw.dll
O2 - BHO: (no name) - {CACA7731-9C77-464A-B1B7-462281DD8164} - C:\WINDOWS\system32\efccbca.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\jkmrdyhj.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - blank (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &HSN ShopBar - {57ECFB59-CD00-4b9d-961A-704E762AC529} - C:\Program Files\HSN\bar\2.bin\HSNBAR.DLL
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ifpioxls] igfppoos.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [novsvida.exe] C:\Documents and Settings\All Users\Application Data\novsvida.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\bmgohgve.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aimutation\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136512082218
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.../sis/axhost.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O20 - Winlogon Notify: awvvu - C:\WINDOWS\system32\awvvu.dll
O20 - Winlogon Notify: efccbca - C:\WINDOWS\SYSTEM32\efccbca.dll
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9286 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 04 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 09 June 2007 - 10:47 AM

Hello,

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Optional - VIEWPOINT MANAGER
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
Additional info: http://vil.nai.com/v...nt/v_137262.htm
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
Your call.

=*=


Please download Atribune's VundoFix.exe from this site:
http://www.atribune..../click.php?id=4 and place it on your desktop.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click YES

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click OK.

=*=

Please set your system to show all files;
To delete the files/folders in the next steps, you may need to show hidden Files/Folders: How to.
At the end of the fix you can return the files to hidden status if you want..

Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".
After all of the fixes are complete it is very important that you enable SpySweeper again.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {0A93E382-DC34-41BE-913B-CF84EA578437} - C:\WINDOWS\system32\awvvu.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - blank (file missing)
O2 - BHO: (no name) - {C20A6B6C-F68A-865E-DD09-FEADDEBC72E7} - C:\WINDOWS\system32\rddw.dll
O2 - BHO: (no name) - {CACA7731-9C77-464A-B1B7-462281DD8164} - C:\WINDOWS\system32\efccbca.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\jkmrdyhj.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - blank (file missing)
O4 - HKLM\..\Run: [ifpioxls] igfppoos.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [novsvida.exe] C:\Documents and Settings\All Users\Application Data\novsvida.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\bmgohgve.dll",realset
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O20 - Winlogon Notify: awvvu - C:\WINDOWS\system32\awvvu.dll
O20 - Winlogon Notify: efccbca - C:\WINDOWS\SYSTEM32\efccbca.dll
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll


Click on Fix Checked when finished and exit HijackThis.

Delete these files in bold if found.

C:\Documents and Settings\All Users\Application Data\novsvida.exe
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\rddw.dll
C:\WINDOWS\system32\efccbca.dll
C:\WINDOWS\system32\jkmrdyhj.dll
C:\WINDOWS\system32\bmgohgve.dll
C:\WINDOWS\SYSTEM32\winmxw32.dll

Locate and delete these files. Probably located in your C:\Windows or c:\Windows\System32 folders.
igfppoos.exe
smanager.7.exe


Restart the computer normally to reset the registry.

If you are unable to delete the files because they are used by some other processes, try to delete them after this scan.

Enable SpySweeper:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
Next,

Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply

Please post the contents of C:\vundofix.txt and a new HiJackThis log as well as the DrWeb results.

You may need more than one message to reply.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 Tabbs

Tabbs

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 10 June 2007 - 01:37 AM

Thanks for the help.

New HijackThis Log:


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:11:43 AM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\igfppoos.exe
C:\Documents and Settings\All Users\Application Data\novsvida.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis_v2.zip\HiJackThis_v2.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: hsnBar BHO - {57ECFB51-CD00-4b9d-961A-704E762AC529} - C:\Program Files\HSN\bar\2.bin\HSNBAR.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - blank (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C20A6B6C-F68A-865E-DD09-FEADDEBC72E7} - C:\WINDOWS\system32\rddw.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\hicwfgre.dll (file missing)
O2 - BHO: (no name) - {F93F5EA4-D2E2-48A0-AA78-AE779684C6B8} - C:\WINDOWS\system32\lcimxccx.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - blank (file missing)
O3 - Toolbar: &HSN ShopBar - {57ECFB59-CD00-4b9d-961A-704E762AC529} - C:\Program Files\HSN\bar\2.bin\HSNBAR.DLL
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ifpioxls] igfppoos.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [novsvida.exe] C:\Documents and Settings\All Users\Application Data\novsvida.exe
O4 - HKLM\..\Run: [j1201932] rundll32 C:\WINDOWS\system32\j1201932.dll sook
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvkeb.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ifpioxls] igfppoos.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIMutation\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136512082218
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.../sis/axhost.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11770 bytes






DrWeb.cvs File:


drvkeb.dll;c:\windows\system32;Trojan.Fakealert.249;Deleted.;
inlw.exe;C:\;Trojan.Fakealert.257;Deleted.;
intvuvmp.exe;C:\;Trojan.Click.2452;Deleted.;
mstC6.tmp;C:\Documents and Settings\Compaq_Owner\Local Settings\Temp;Trojan.Fakealert.249;Deleted.;
winBC.tmp.exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temp;Trojan.DownLoader.23032;Deleted.;
winC9.tmp.exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temp;Trojan.DownLoader.22225;Deleted.;
WinAntiVirusPro2006FreeInstall[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\8VQUXV5C;Trojan.DownLoader.10963;Deleted.;
xzc37[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\FFISJH5D;Trojan.DownLoader.22225;Deleted.;
xc23[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\K8L922O5;Trojan.DownLoader.23032;Deleted.;
file[1].ani;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\NJV5125S;Exploit.ANIFile;Deleted.;
L2[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\NZD6FYN5;Trojan.DownLoader.20139;Deleted.;
xzc37[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\NZD6FYN5;Trojan.DownLoader.22968;Deleted.;
xc23[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\O36DC5B9;Trojan.DownLoader.23032;Deleted.;
antzom[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\OD40DWA2;Trojan.Mezzia;Deleted.;
xc60[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\OD40DWA2;Trojan.PWS.LDPinch.462;Deleted.;
WinAntiVirusPro2006FreeInstall[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\SXL6FJWD;Trojan.DownLoader.10963;Deleted.;
xc23[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\SXL6FJWD;Trojan.DownLoader.23032;Deleted.;
sfksiesoy[1].htm;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\TTAZ5CC3;Trojan.Click.2452;Deleted.;
arr[1].ani;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\V7GA0L42;Exploit.ANIFile;Deleted.;
WinAntiSpyware2007FreeInstall[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\V7GA0L42;Trojan.DownLoader.10963;Deleted.;
A0140521.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP647;Trojan.Fakealert.257;Deleted.;
A0140523.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP647;Trojan.Virtumod;Deleted.;
A0143727.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP652;Trojan.DownLoader.23066;Deleted.;
A0148116.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP657;Trojan.Virtumod;Deleted.;
A0155011.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP660;Trojan.Virtumod;Deleted.;
A0155016.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP660;Trojan.Fakealert.249;Deleted.;
A0156099.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP663;Trojan.Virtumod;Deleted.;
A0156757.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP664;Trojan.Virtumod;Deleted.;
A0159017.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Virtumod;Deleted.;
A0159019.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Click.2485;Deleted.;
A0159020.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Virtumod;Deleted.;
A0159021.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Virtumod;Deleted.;
A0159024.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Virtumod;Deleted.;
A0159026.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Virtumod;Deleted.;
A0159030.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Virtumod;Deleted.;
A0159032.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Virtumod;Deleted.;
A0159037.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Virtumod;Deleted.;
A0159040.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Virtumod;Deleted.;
A0159044.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Virtumod;Deleted.;
A0159047.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Virtumod;Deleted.;
A0159055.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Click.2485;Deleted.;
A0159071.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Fakealert.249;Deleted.;
A0159072.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Fakealert.257;Deleted.;
A0159073.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Trojan.Click.2452;Deleted.;
awvvu.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
bkakruyn.exe.bad;C:\VundoFix Backups;Trojan.Click.2485;Deleted.;
cdhwweaj.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
ddccbaa.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
evfplwok.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
hicwfgre.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
j1201932.dll.bad;C:\VundoFix Backups;Trojan.Click.2485;Deleted.;
jkmrdyhj.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
kfypcssa.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
opnlkij.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
pmnnl.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
tuvsqpq.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
xvdrypdb.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
smanager.7.exe~;C:\WINDOWS;Trojan.DownLoader.23032;Deleted.;
drvgef.dll;C:\WINDOWS\system32;Trojan.Fakealert.249;Deleted.;
drvnas.dll;C:\WINDOWS\system32;Trojan.Fakealert.249;Deleted.;
drvnim.dll;C:\WINDOWS\system32;Trojan.Fakealert.249;Deleted.;
drvpes.dll;C:\WINDOWS\system32;Trojan.Fakealert.249;Deleted.;
drvrag.dll;C:\WINDOWS\system32;Trojan.Fakealert.249;Deleted.;
drvsog.dll;C:\WINDOWS\system32;Trojan.Fakealert.249;Deleted.;
drvson.dll;C:\WINDOWS\system32;Trojan.Fakealert.249;Deleted.;
drvwap.dll;C:\WINDOWS\system32;Trojan.Fakealert.249;Deleted.;
winmxw32.dll;C:\WINDOWS\system32;Trojan.DownLoader.22758;Will be cured after reboot.;
mst10A3.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mst1952.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mst1A41.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mst2007.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mst294.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mst32.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mst59F.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mst6B5.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mst85.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mst8B9.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mst8E.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mstC2A.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
mstF4.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.249;Deleted.;
win109B.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
win109F.tmp.exe;C:\WINDOWS\Temp;Trojan.Mezzia;Deleted.;
win10A6.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22968;Deleted.;
win1117.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.20139;Deleted.;
win1945.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
win194D.tmp.exe;C:\WINDOWS\Temp;Trojan.Mezzia;Deleted.;
win1954.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22968;Deleted.;
win1A3A.tmp.exe;C:\WINDOWS\Temp;Trojan.Mezzia;Deleted.;
win1A46.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22968;Deleted.;
win1FFE.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
win2002.tmp.exe;C:\WINDOWS\Temp;Trojan.Mezzia;Deleted.;
win200B.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22968;Deleted.;
win26.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
win28A.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
win297.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22225;Deleted.;
win35.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22225;Deleted.;
win595.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
win5A2.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22225;Deleted.;
win6A0.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
win6C2.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22225;Deleted.;
win74.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
win76.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
win8AD.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
win8BB.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22225;Deleted.;
win8D.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22225;Deleted.;
win96.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22225;Deleted.;
winC1B.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
winC1F.tmp.exe;C:\WINDOWS\Temp;Trojan.Mezzia;Deleted.;
winC2C.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22225;Deleted.;
winE7.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.23032;Deleted.;
winF54.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.20139;Deleted.;
winF8.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22225;Deleted.;
biz[1].htm\JavaScript.0;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\H5K31O6E\biz[1].htm;VBS.Psyme.383;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4000.1.4;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4024.2.4;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\AIMSUD338;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4024;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.78.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
winC7.tmp.exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temp;Adware.Akella;Incurable.Moved.;
biz[1].htm;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\H5K31O6E;Archive contains infected objects;Moved.;
xc36[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\OD40DWA2;Adware.Akella;Incurable.Moved.;
xc36[1].exe;C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\SXL6FJWD;Adware.Akella;Incurable.Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIMutation;Adware.Aws;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIMutation\Sysfiles;Adware.Aws;Incurable.Moved.;
Yazzle1162OinAdmin.exe;C:\Program Files\Common Files;Adware.ClickSpring;Incurable.Moved.;
HSNPLUGN.DLL;C:\Program Files\HSN\bar\2.bin;Adware.Msearch;Incurable.Moved.;
A0139064.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP630;Adware.TryMedia;Incurable.Moved.;
A0139275.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP637;Adware.TryMedia;Incurable.Moved.;
A0140542.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP648;Adware.ClickSpring;Incurable.Moved.;
A0140559.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP649;Probably MULDROP.Trojan;Incurable.Moved.;
A0140574.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP649;Probably MULDROP.Trojan;Incurable.Moved.;
A0140641.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP651;Adware.ClickSpring;Incurable.Moved.;
A0140711.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP652;Adware.ClickSpring;Incurable.Moved.;
A0143878.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP653;Adware.ClickSpring;Incurable.Moved.;
A0144268.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP654;Adware.ClickSpring;Incurable.Moved.;
A0145658.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP655;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0146848.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP656;Adware.ClickSpring;Incurable.Moved.;
A0146917.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP656;Adware.ClickSpring;Incurable.Moved.;
A0148130.EXE;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP657;Adware.Aws;Incurable.Moved.;
A0148161.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP657;Adware.ClickSpring;Incurable.Moved.;
A0149560.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP658;Adware.ClickSpring;Incurable.Moved.;
A0154699.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP660;Adware.ClickSpring;Incurable.Moved.;
A0155040.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP660;Tool.Prockill;Incurable.Moved.;
A0155042.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP660;Tool.ShutDown.11;Incurable.Moved.;
A0156168.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP663;Adware.ClickSpring;Incurable.Moved.;
A0156731.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP664;Adware.ClickSpring;Incurable.Moved.;
A0157756.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP665;Adware.ClickSpring;Incurable.Moved.;
A0158913.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP666;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0158927.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP666;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0159033.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Adware.Crew;Incurable.Moved.;
A0159041.dll;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP667;Adware.Crew;Incurable.Moved.;
lcimxccx.dll.bad;C:\VundoFix Backups;Adware.Crew;Incurable.Moved.;
qpgdyhed.dll.bad;C:\VundoFix Backups;Adware.Crew;Incurable.Moved.;
HGStart9USA.exe;C:\WINDOWS\Downloaded Program Files;Probably DLOADER.Trojan;Incurable.Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
win10A4.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
win1951.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
win1A43.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
win2008.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
win295.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
win33.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
win5A0.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
win6BB.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
win86.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
win8B8.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
win8F.tmp;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
winC29.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
winF6.tmp.exe;C:\WINDOWS\Temp;Adware.Akella;Incurable.Moved.;
firstopt.js;D:\I386\Apps\APP27058;Probably SCRIPT.Virus;Incurable.Moved.;





DelJob Log:

--------------------------------------------------------
No LOP jobs found
--------------------------------------------------------
Files remaining after cleaning

Easy Internet Sign-up.job
MP Scheduled Scan.job
--------------------------------------------------------
App data folders

Volume in drive C is PRESARIO
Volume Serial Number is 7E37-DA48

Directory of C:\Documents and Settings\Compaq_Owner\Application Data

06/02/2007 10:41 AM <DIR> .
06/02/2007 10:41 AM <DIR> ..
01/02/2006 01:50 AM <DIR> 3M
06/30/2006 11:47 AM <DIR> acccore
12/20/2006 08:15 PM <DIR> Adobe
10/11/2005 12:37 AM <DIR> AdobeUM
01/06/2007 10:25 PM <DIR> Aim
09/29/2006 08:36 PM <DIR> APPLEC~1 Apple Computer
05/28/2007 08:15 PM <DIR> Google
12/26/2005 12:45 AM <DIR> Help
02/23/2007 06:58 PM <DIR> HSN
05/30/2005 11:11 AM <DIR> IDENTI~1 Identities
05/26/2007 12:53 PM <DIR> IGN_DLM
05/03/2007 11:45 PM <DIR> INSTAL~1 InstallShield
05/30/2005 11:11 AM <DIR> INTERM~1 InterMute
05/08/2007 01:16 PM <DIR> JAMS
06/05/2007 04:23 PM <DIR> LimeWire
04/23/2006 02:17 AM <DIR> MACROM~1 Macromedia
04/11/2007 04:41 PM <DIR> MICROS~1 Microsoft
11/23/2005 12:40 AM <DIR> Mozilla
10/01/2005 06:11 PM <DIR> Real
05/30/2005 11:11 AM <DIR> SAMPLE~1 SampleView
12/19/2005 03:53 AM <DIR> SPYBOT~1 Spybot - Search & Destroy
09/03/2005 11:25 PM <DIR> Sun
05/30/2005 11:11 AM <DIR> Symantec
11/23/2005 12:00 AM <DIR> Talkback
04/21/2007 02:33 AM <DIR> TEAMSP~1 teamspeak2
10/13/2005 11:46 AM <DIR> Template
11/23/2005 12:40 AM <DIR> THUNDE~1 Thunderbird
05/22/2007 08:55 PM <DIR> uTorrent
12/28/2006 12:26 AM <DIR> Ventrilo
06/09/2007 11:31 PM <DIR> VIEWPO~1 Viewpoint
09/03/2005 04:13 PM <DIR> Webroot
09/15/2006 03:24 PM <DIR> Wildfire
06/05/2007 06:30 PM <DIR> Xfire
04/19/2007 03:58 AM <DIR> Yahoo!
10/05/2005 02:55 PM <DIR> YAHOO!~1 Yahoo! Messenger
06/02/2007 01:50 PM <DIR> yoclient
05/22/2007 07:02 AM <DIR> RACLE~1 ?racle
0 File(s) 0 bytes
39 Dir(s) 46,419,156,992 bytes free
Volume in drive C is PRESARIO
Volume Serial Number is 7E37-DA48

Directory of C:\Documents and Settings\All Users\Application Data

06/10/2007 12:17 AM <DIR> .
06/10/2007 12:17 AM <DIR> ..
11/26/2005 03:31 PM <DIR> Adobe
05/26/2007 05:11 PM <DIR> AOL
06/09/2007 12:54 PM <DIR> AOLDOW~1 AOL Downloads
12/15/2006 03:52 PM <DIR> AOLOCP~1 AOL OCP
11/24/2006 01:29 AM <DIR> APPLEC~1 Apple Computer
05/30/2005 11:11 AM <DIR> HEWLET~1 Hewlett-Packard
05/30/2005 11:11 AM <DIR> INSTAL~1 InstallShield
06/07/2007 06:49 PM <DIR> Lavasoft
10/02/2005 03:14 PM <DIR> McAfee.com
05/12/2006 06:24 PM <DIR> MICROS~1 Microsoft
10/09/2005 11:23 PM <DIR> QUICKT~1 QuickTime
05/30/2005 11:11 AM <DIR> SBSI
04/29/2007 12:49 AM <DIR> SPYBOT~1 Spybot - Search & Destroy
09/03/2005 04:10 PM <DIR> Symantec
06/09/2007 11:32 PM <DIR> VIEWPO~1 Viewpoint
01/05/2006 09:52 PM <DIR> WINDOW~1 Windows Genuine Advantage
06/05/2007 08:26 PM <DIR> yahoo!
0 File(s) 0 bytes
19 Dir(s) 46,419,152,896 bytes free
--------------------------------------------------------




VundoFix Log:



VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:32:35 PM 6/9/2007

Listing files found while scanning....

C:\windows\system32\awvvu.dll
C:\windows\system32\bdpyrdvx.ini
C:\windows\system32\bkakruyn.exe
C:\windows\system32\cdhwweaj.dll
C:\windows\system32\ddccbaa.dll
C:\windows\system32\ddcccyv.dll
C:\WINDOWS\system32\efccbca.dll
C:\WINDOWS\system32\evfplwok.dll
C:\windows\system32\fcvhmqni.exe
C:\windows\system32\hicwfgre.dll
C:\windows\system32\iifdccd.dll
C:\windows\system32\j1201932.dll
C:\windows\system32\jaewwhdc.ini
C:\windows\system32\jkkliij.dll
C:\WINDOWS\system32\jkmrdyhj.dll
C:\windows\system32\kbqcbuwh.exe
C:\WINDOWS\system32\kfypcssa.dll
C:\windows\system32\lcimxccx.dll
C:\windows\system32\lnnmp.ini
C:\windows\system32\nbvrsnxw.exe
C:\windows\system32\nnnnmkl.dll
C:\windows\system32\opnlkij.dll
C:\windows\system32\opnonoo.dll
C:\windows\system32\opnoonm.dll
C:\windows\system32\pmnnl.dll
C:\windows\system32\qpgdyhed.dll
C:\windows\system32\rqrqrpn.dll
C:\windows\system32\tisubydy.exe
C:\windows\system32\tuvsqpq.dll
C:\WINDOWS\system32\uvvwa.bak1
C:\WINDOWS\system32\uvvwa.bak2
C:\windows\system32\uvvwa.ini
C:\windows\system32\vtuutss.dll
C:\windows\system32\wvurpml.dll
C:\WINDOWS\system32\xvdrypdb.dll
C:\windows\system32\xxywtqn.dll
C:\windows\system32\xxywxyv.dll

Beginning removal...

Attempting to delete C:\windows\system32\awvvu.dll
C:\windows\system32\awvvu.dll Has been deleted!

Attempting to delete C:\windows\system32\bdpyrdvx.ini
C:\windows\system32\bdpyrdvx.ini Has been deleted!

Attempting to delete C:\windows\system32\bkakruyn.exe
C:\windows\system32\bkakruyn.exe Has been deleted!

Attempting to delete C:\windows\system32\cdhwweaj.dll
C:\windows\system32\cdhwweaj.dll Has been deleted!

Attempting to delete C:\windows\system32\ddccbaa.dll
C:\windows\system32\ddccbaa.dll Has been deleted!

Attempting to delete C:\windows\system32\ddcccyv.dll
C:\windows\system32\ddcccyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efccbca.dll
C:\WINDOWS\system32\efccbca.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\evfplwok.dll
C:\WINDOWS\system32\evfplwok.dll Has been deleted!

Attempting to delete C:\windows\system32\fcvhmqni.exe
C:\windows\system32\fcvhmqni.exe Has been deleted!

Attempting to delete C:\windows\system32\hicwfgre.dll
C:\windows\system32\hicwfgre.dll Has been deleted!

Attempting to delete C:\windows\system32\iifdccd.dll
C:\windows\system32\iifdccd.dll Has been deleted!

Attempting to delete C:\windows\system32\j1201932.dll
C:\windows\system32\j1201932.dll Could not be deleted.

Attempting to delete C:\windows\system32\jaewwhdc.ini
C:\windows\system32\jaewwhdc.ini Has been deleted!

Attempting to delete C:\windows\system32\jkkliij.dll
C:\windows\system32\jkkliij.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkmrdyhj.dll
C:\WINDOWS\system32\jkmrdyhj.dll Has been deleted!

Attempting to delete C:\windows\system32\kbqcbuwh.exe
C:\windows\system32\kbqcbuwh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\kfypcssa.dll
C:\WINDOWS\system32\kfypcssa.dll Has been deleted!

Attempting to delete C:\windows\system32\lcimxccx.dll
C:\windows\system32\lcimxccx.dll Has been deleted!

Attempting to delete C:\windows\system32\lnnmp.ini
C:\windows\system32\lnnmp.ini Has been deleted!

Attempting to delete C:\windows\system32\nbvrsnxw.exe
C:\windows\system32\nbvrsnxw.exe Has been deleted!

Attempting to delete C:\windows\system32\nnnnmkl.dll
C:\windows\system32\nnnnmkl.dll Has been deleted!

Attempting to delete C:\windows\system32\opnlkij.dll
C:\windows\system32\opnlkij.dll Has been deleted!

Attempting to delete C:\windows\system32\opnonoo.dll
C:\windows\system32\opnonoo.dll Has been deleted!

Attempting to delete C:\windows\system32\opnoonm.dll
C:\windows\system32\opnoonm.dll Has been deleted!

Attempting to delete C:\windows\system32\pmnnl.dll
C:\windows\system32\pmnnl.dll Has been deleted!

Attempting to delete C:\windows\system32\qpgdyhed.dll
C:\windows\system32\qpgdyhed.dll Has been deleted!

Attempting to delete C:\windows\system32\rqrqrpn.dll
C:\windows\system32\rqrqrpn.dll Has been deleted!

Attempting to delete C:\windows\system32\tisubydy.exe
C:\windows\system32\tisubydy.exe Has been deleted!

Attempting to delete C:\windows\system32\tuvsqpq.dll
C:\windows\system32\tuvsqpq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uvvwa.bak1
C:\WINDOWS\system32\uvvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\uvvwa.bak2
C:\WINDOWS\system32\uvvwa.bak2 Has been deleted!

Attempting to delete C:\windows\system32\uvvwa.ini
C:\windows\system32\uvvwa.ini Has been deleted!

Attempting to delete C:\windows\system32\vtuutss.dll
C:\windows\system32\vtuutss.dll Has been deleted!

Attempting to delete C:\windows\system32\wvurpml.dll
C:\windows\system32\wvurpml.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xvdrypdb.dll
C:\WINDOWS\system32\xvdrypdb.dll Has been deleted!

Attempting to delete C:\windows\system32\xxywtqn.dll
C:\windows\system32\xxywtqn.dll Has been deleted!

Attempting to delete C:\windows\system32\xxywxyv.dll
C:\windows\system32\xxywxyv.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\j1201932.dll
C:\windows\system32\j1201932.dll Has been deleted!

Performing Repairs to the registry.
Done!

#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 10 June 2007 - 08:27 AM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Open your Control Panel in *Add/Remove Programs* look for the following


Think-Adz Search Assistant
Enhanced Ads by Think-Adz
Surfsidekick
Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
(Anything) by OIN
Zolero
Tizzletalk
MediaTickets
Cowabanga
outerinfo

and any other programs you didn't install or don't recognize - if your not sure please ask first

If found, click on it and click remove.

Do not restart the computer

Then, download and run this OiUninstaller.exe uninstaller: follow the instructions on this page.
http://www.outerinfo.com/howto.html

=*=

Disable SpySweeper:

You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".

After all of the fixes are complete it is very important that you enable SpySweeper again.

=*=

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - blank (file missing)
O2 - BHO: (no name) - {C20A6B6C-F68A-865E-DD09-FEADDEBC72E7} - C:\WINDOWS\system32\rddw.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\hicwfgre.dll (file missing)
O2 - BHO: (no name) - {F93F5EA4-D2E2-48A0-AA78-AE779684C6B8} - C:\WINDOWS\system32\lcimxccx.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - blank (file missing)
O4 - HKLM\..\Run: [ifpioxls] igfppoos.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [novsvida.exe] C:\Documents and Settings\All Users\Application Data\novsvida.exe
O4 - HKLM\..\Run: [j1201932] rundll32 C:\WINDOWS\system32\j1201932.dll sook
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvkeb.dll,startup
O4 - HKCU\..\Run: [ifpioxls] igfppoos.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll


Click on Fix Checked when finished and exit HijackThis.

Delete these files in bold if found.

igfppoos.exe
smanager.7.exe

C:\WINDOWS\system32\rddw.dll
C:\Documents and Settings\All Users\Application Data\novsvida.exe

Restart the computer normally to reset the registry.

Enable SpySweeper

=*=

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Submit a fresh HijackThis log.

Let me know what problem remains.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 Tabbs

Tabbs

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 11 June 2007 - 12:18 AM

I have done what you said. The random IE popups and System Doctor messages have seemed to stopped but after running Spybot Search and Destroy theres problems were found along with numerous others:

Adrevolver
Smitfraud-C
Smitfraud-C Toolbar
System Doctor 2006
Win32.Agent
Win32.IRCBot

here is my New HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:40:00 AM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis_v2.zip\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvkeb.dll,startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aimutation\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136512082218
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.../sis/axhost.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9346 bytes




Thank You for your help

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 11 June 2007 - 07:57 AM

Will give it an other shot.

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".
After all of the fixes are complete it is very important that you enable SpySweeper again.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvkeb.dll,startup

Click on Fix Checked when finished and exit HijackThis.

Delete this files in bold if found.

C:\WINDOWS\system32\drvkeb.dll

Restart the computer normally to reset the registry.

If you still get some hit with SpyBot and Destroy post the exact message(s).
I see nothing else on the log.

Enable SpySweeper.

Include a fresh HijackThis log for my review.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 22 June 2007 - 08:19 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button