Jump to content


Photo

Problems with trojans : generic3.uub and collected.11.b


  • This topic is locked This topic is locked
11 replies to this topic

#1 sussexstev

sussexstev

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 21 April 2007 - 04:48 AM

Hi
One of my kids opened and ran a file received via msn. Since then we have endless popups for anti virus websites and debt agencies, explorer takes an age to start and runs very slowly.
I'm running XP with 4 users using IE7. I have run AVG which Identified trojan horse collected 11.b, and Avast which picked up trojan horse generic3.uub Avast also picked up win32: adware-gen and wn32:spyware-gen
AVG also returned the fact that these files had changed:
C:\windows\system32\user32.dll
C:\windows\system32\shell32.dll
C:\windows\system32\ntoskml.exe
C:\windows\system32\drivers\etc\hosts

If you are able to help me please keep all the instructions very simple as I'm not very good at navigating my way round systems! Please also let me now if I have to carry out the instructions for each user or just my logon. May sound a bit dim but like I said I'm a bit useless at all this and would rather not make things worse than they already are!

Hope you can help
Steve.

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:28:58, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\cnbtfeit.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\gwqogyvd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {970D022E-A884-4D2A-BB4A-EBC22D2FEBD2} - C:\WINDOWS\system32\rqrropo.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D69378A2-9925-46DE-86C6-1DCF5BBF9990} - C:\WINDOWS\system32\mljjj.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Intellisync Lite for NEC 616.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...GB_ZNxdm799XXGB
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: NTLSignup - https://tesco.autore...o/NTLSignup.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103472275921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161814639253
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.co...er/MFImgVwr.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} (Genealogy Browser) - http://66.119.139.74/cabs/zinst.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba250.exe
O17 - HKLM\System\CS1\Services\Tcpip\..\{4775387C-251E-4CDF-9232-2D075861E6E5}: NameServer = 192.168.0.100
O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll
O20 - Winlogon Notify: rqrropo - C:\WINDOWS\SYSTEM32\rqrropo.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 15473 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 23 April 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 26 April 2007 - 06:03 AM

Hi Steve,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

First of all, while it is acceptable to have two anti-virus programs installed, it is not a good idea to have them both running in auto-protect mode as it may make both less effective. Choose just one to run in auto-protect and use the other for ad-hoc scans only.


NEXT:

We will need to disable a few security applications as they may interfere with the fixes that we need to make.

To disable Windows Defender:
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.

To deactivate Spyware Doctor's OnGuard Tools:
  • From within Spyware Doctor, click the "OnGuard" button on the left side.
  • Uncheck "Activate OnGuard".

NEXT:

Please download VundoFix.exe by Atribune and save it to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click YES, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.
NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot. Run VundoFix and scan for Vundo as many times as necessary until VundoFix says "No infected files were found".


NEXT:

Please download HostsXpert and save it to your desktop:
  • Extract the zip file to your desktop or a permanent folder on your hard drive.
  • Open the folder and double-click on HostsXpert.exe.
  • Make sure that the "Make Writable?" button in the upper left corner is enabled. By default the button should be showing "Make ReadOnly?" (if it is, leave it alone).
  • Click "Backup / Restore" and select "Create Backup".
  • Click "Restore MS Hosts File".
  • Click "OK" and exit the program.

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\cnbtfeit.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\gwqogyvd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {970D022E-A884-4D2A-BB4A-EBC22D2FEBD2} - C:\WINDOWS\system32\rqrropo.dll
O2 - BHO: (no name) - {D69378A2-9925-46DE-86C6-1DCF5BBF9990} - C:\WINDOWS\system32\mljjj.dll
O8 - Extra context menu item: &Search - http://bar.mywebsear...GB_ZNxdm799XXGB
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} (Genealogy Browser) - http://66.119.139.74/cabs/zinst.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba250.exe
O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll
O20 - Winlogon Notify: rqrropo - C:\WINDOWS\SYSTEM32\rqrropo.dll



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\gwqogyvd.dll
    C:\WINDOWS\system32\diskperff.dll
    C:\WINDOWS\system32\mljjj.dll
    C:\WINDOWS\SYSTEM32\rqrropo.dll


  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it in your next reply.
  • Close OTMoveIt.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • íThe log from the VundoFix scan.
  • The results report from OTMoveIt.
  • The log from the ComboFix scan.
  • A new HijackThis log.
How are things running now? Please let me know of any problems that still persist.

Edited by Sempurna, 26 April 2007 - 06:04 AM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#4 sussexstev

sussexstev

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 26 April 2007 - 08:42 AM

Hi Sempurna
Thanks for the help.
Things seem to be getting back to normal. I'm not getting the pop ups that I was. Also IE is running much faster.
I had already run VundoFix here is the log:

VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 22:08:21 11/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\edeeg.tmp
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\SYSTEM32\hpfyqpxh.dll
C:\WINDOWS\SYSTEM32\ljuncnsv.dll
C:\WINDOWS\SYSTEM32\mualtsaa.dll
C:\WINDOWS\SYSTEM32\rngokkun.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\edeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\edeeg.tmp
C:\WINDOWS\system32\edeeg.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\geede.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\hpfyqpxh.dll
C:\WINDOWS\SYSTEM32\hpfyqpxh.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ljuncnsv.dll
C:\WINDOWS\SYSTEM32\ljuncnsv.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\mualtsaa.dll
C:\WINDOWS\SYSTEM32\mualtsaa.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rngokkun.dll
C:\WINDOWS\SYSTEM32\rngokkun.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.20

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 22:53:31 25/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\gwqogyvd.dll
C:\WINDOWS\SYSTEM32\hfmikesk.dll
C:\WINDOWS\system32\jjjlm.bak1
C:\WINDOWS\system32\jjjlm.bak2
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.ini2
C:\WINDOWS\system32\jjjlm.tmp
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\SYSTEM32\nvouovjs.dll
C:\WINDOWS\system32\rqrropo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\hfmikesk.dll
C:\WINDOWS\SYSTEM32\hfmikesk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjjlm.bak1
C:\WINDOWS\system32\jjjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjjlm.bak2
C:\WINDOWS\system32\jjjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjjlm.ini2
C:\WINDOWS\system32\jjjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjjlm.tmp
C:\WINDOWS\system32\jjjlm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\mljjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\nvouovjs.dll
C:\WINDOWS\SYSTEM32\nvouovjs.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.20

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 12:28:17 26/04/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...



Here is the OTMoveIt results report:
File/Folder C:\WINDOWS\system32\gwqogyvd.dll not found.
LoadLibrary failed for C:\WINDOWS\system32\diskperff.dll
C:\WINDOWS\system32\diskperff.dll NOT unregistered.
C:\WINDOWS\system32\diskperff.dll moved successfully.
File/Folder C:\WINDOWS\system32\mljjj.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\rqrropo.dll not found.

Created on 04/26/2007 13:55:52

ComboFix scan:
"Steve" - 07-04-26 13:59:41 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Steve\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{383B5~1\Bar888.dll
C:\Program Files\Common Files\{383B5~1\UnInstall.exe
C:\Program Files\Common Files\{383B5~2\Bar888.dll
C:\Program Files\Common Files\{383B5~2\UnInstall.exe
C:\WINDOWS\system32\drivers\fad.sys
C:\install.log
C:\Program Files\Common Files\{383B5~1
C:\Program Files\Common Files\{383B5~2


((((((((((((((((((((((((((((((( Files Created from 2007-03-26 to 2007-04-26 ))))))))))))))))))))))))))))))))))


2007-04-25 19:54 132,660 --a------ C:\WINDOWS\SYSTEM32\pojxekvf.dll
2007-04-24 18:24 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2007-04-24 18:23 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-04-24 15:42 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-24 15:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-04-24 15:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-04-24 15:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-04-23 15:36 <DIR> d-------- C:\DOCUME~1\Steve\APPLIC~1\Lavasoft
2007-04-23 15:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-23 15:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-17 22:13 1,308,216 --a------ C:\Program Files\HiJackThis_v2.exe
2007-04-17 21:32 <DIR> d-------- C:\DOCUME~1\Steve\APPLIC~1\SpywareBot
2007-04-14 11:56 83,536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-04-14 11:56 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-04-14 11:56 59,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-04-14 11:56 52,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-04-14 11:56 39,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-04-14 11:56 26,064 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-04-14 11:56 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-04-14 11:56 <DIR> d-------- C:\DOCUME~1\Steve\APPLIC~1\PC Tools
2007-04-14 11:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-04-12 22:19 94,552 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-04-12 22:19 85,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-04-12 22:19 43,176 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-04-12 22:19 26,888 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-04-12 22:19 23,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-04-12 22:18 90,112 --a------ C:\WINDOWS\SYSTEM32\AVASTSS.scr
2007-04-12 22:18 733,824 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-04-11 22:08 <DIR> d-------- C:\VundoFix Backups
2007-04-11 20:44 <DIR> d-------- C:\Program Files\RogueRemover
2007-04-09 19:35 <DIR> d-------- C:\DOCUME~1\KIMBER~1\Contacts
2007-04-08 22:32 187,392 --a------ C:\DOCUME~1\Luca\oo.exe
2007-04-08 22:32 141,841 --a------ C:\DOCUME~1\Luca\net.exe
2007-04-08 22:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-04 21:04 <DIR> d-------- C:\DOCUME~1\Luca\APPLIC~1\SopCast
2007-04-01 22:26 <DIR> d--hs---- C:\WINDOWS\SYSTEM32\jjrehloxou


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-17 21:57 -------- d-------- C:\Program Files\viewpoint
2007-04-17 21:41 -------- d-------- C:\Program Files\morpheus
2007-04-14 15:34 -------- d-------- C:\Program Files\vcom
2007-04-14 11:53 -------- d-------- C:\Program Files\google
2007-04-13 22:34 -------- d-------- C:\Program Files\msn messenger
2007-04-01 22:27 359808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
2007-03-30 19:24 -------- d-------- C:\Program Files\dell aio printer a920
2007-03-17 14:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-05 21:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll
2007-02-03 18:50 81920 --a------ C:\WINDOWS\SYSTEM32\w32n50.dll
2007-02-03 18:50 17134 --a------ C:\WINDOWS\SYSTEM32\pcandis5.sys
2007-01-28 16:16 44544 --a------ C:\WINDOWS\SYSTEM32\msxml4a.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{86654CE5-3321-4E5E-A41E-550F7F822F04} C:\WINDOWS\system32\jngiaugd.dll [x]
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar4.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\Windows Live Toolbar\msntb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"4oD"="\"C:\\Program Files\\Kontiki\\KHost.exe\" -all"
"lsass"=""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\pojxekvf.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"STManager"="\"C:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe\" -b"
"kdx"="C:\\Program Files\\Kontiki\\KHost.exe -all"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\start.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-26 14:10:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-26 14:10:56
C:\ComboFix-quarantined-files.txt ... 07-04-26 14:10


New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:39:44, on 26/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {86654CE5-3321-4E5E-A41E-550F7F822F04} - C:\WINDOWS\system32\jngiaugd.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\pojxekvf.dll",realset
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Intellisync Lite for NEC 616.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: NTLSignup - https://tesco.autore...o/NTLSignup.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103472275921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161814639253
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.co...er/MFImgVwr.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{4775387C-251E-4CDF-9232-2D075861E6E5}: NameServer = 192.168.0.100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 13489 bytes

Well I think that's it.
Thanks a million for all your help so far. Hopefully I won't be needing you again, but if I do encounter problems I know there are people out there willing to help.

#5 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 26 April 2007 - 10:09 AM

Hi Steve, :wave:

Youíre most welcome, Steve. :)

OK, letís pick up the leftovers.

You are still running two anti-virus programs. This will actually make your system less secure they will interfere with each other. Either configure only one for realtime protection, or uninstall one of them.

NEXT:

We will need to disable a few security applications as they may interfere with the fixes that we need to make.

To disable Windows Defender:
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.

To deactivate Spyware Doctor's OnGuard Tools:
  • From within Spyware Doctor, click the "OnGuard" button on the left side.
  • Uncheck "Activate OnGuard".

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {86654CE5-3321-4E5E-A41E-550F7F822F04} - C:\WINDOWS\system32\jngiaugd.dll (file missing)
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\pojxekvf.dll",realest



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Go to Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

SpywareBot
Morpheus


You can replace Morpheus with one of the other more reputable P2P programs found at this website:
http://p2p.malwareremoval.com/


NEXT:

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". This will change from what we know in 2006, read this article: http://www.clickz.co...cle.php/3561546

Additional info: http://vil.nai.com/v...nt/v_137262.htm

I suggest you remove the program now. Go to Start -> Control Panel -> Add/Remove Programs and remove the following programs (if present):

Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar



If you have problems with Viewpoint regenerating after uninstallation, then please follow these instructions:

Open AOL and go to Help on the toolbar. Select About AOL. Next is the SECRET STEP. You must then press Ctrl + D to access a "secret" panel to disable all of the desktop and IM fancy features that are associated with viewpoint. This is the only way to prevent AOL from re-installing Viewpoint at AOL startup.



NEXT:

Please launch OTMoveIt:
  • Double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\SYSTEM32\pojxekvf.dll
    C:\DOCUME~1\Luca\oo.exe
    C:\DOCUME~1\Luca\net.exe
    C:\DOCUME~1\Steve\APPLIC~1\SpywareBot
    C:\WINDOWS\SYSTEM32\jjrehloxou
    C:\Program Files\viewpoint
    C:\Program Files\morpheus


  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it in your next reply.
  • Close OTMoveIt.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.


NEXT:

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the Windows tab.
  • Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  • Then, click the Applications tab:
    • UNCHECK everything there.
  • Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.
CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you donít know how to use it, you may cause irreparable damage to your system.


NEXT:

Let's run an online scan to make sure we're not leaving anything behind.

Please do an online scan with Kaspersky Online Scanner:
  • Click on Kaspersky Online Scanner.
  • You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK.
  • Now under select a target to scan:
    • Select My Computer.
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The results report from OTMoveIt.
  • The log from the Kaspersky scan.
  • A new ComboFix log.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#6 sussexstev

sussexstev

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 April 2007 - 09:03 AM

Hi Sempurna
Looks like I'm not out of the woods yet...

OTMoveIt Log:

DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\pojxekvf.dll
C:\WINDOWS\SYSTEM32\pojxekvf.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\pojxekvf.dll moved successfully.
C:\DOCUME~1\Luca\oo.exe moved successfully.
C:\DOCUME~1\Luca\net.exe moved successfully.
C:\DOCUME~1\Steve\APPLIC~1\SpywareBot\Settings moved successfully.
C:\DOCUME~1\Steve\APPLIC~1\SpywareBot\Registry Backups moved successfully.
C:\DOCUME~1\Steve\APPLIC~1\SpywareBot\Quarantine moved successfully.
C:\DOCUME~1\Steve\APPLIC~1\SpywareBot\Log moved successfully.
C:\DOCUME~1\Steve\APPLIC~1\SpywareBot moved successfully.
C:\WINDOWS\SYSTEM32\jjrehloxou moved successfully.
C:\Program Files\viewpoint\Common moved successfully.
C:\Program Files\viewpoint moved successfully.
C:\Program Files\morpheus\Torrents moved successfully.
C:\Program Files\morpheus\Temp moved successfully.
C:\Program Files\morpheus\SkinData\happy\xml moved successfully.
C:\Program Files\morpheus\SkinData\happy\images moved successfully.
C:\Program Files\morpheus\SkinData\happy moved successfully.
C:\Program Files\morpheus\SkinData\default\xml moved successfully.
C:\Program Files\morpheus\SkinData\default\images moved successfully.
C:\Program Files\morpheus\SkinData\default moved successfully.
C:\Program Files\morpheus\SkinData moved successfully.
C:\Program Files\morpheus\Schemas moved successfully.
C:\Program Files\morpheus\Partials moved successfully.
C:\Program Files\morpheus\Offers moved successfully.
C:\Program Files\morpheus\My Shared Folder moved successfully.
C:\Program Files\morpheus\Downloads moved successfully.
C:\Program Files\morpheus moved successfully.

Created on 04/27/2007 12:17:17

Kaspersky Report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 27, 2007 2:24:07 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/04/2007
Kaspersky Anti-Virus database records: 303651
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 99452
Number of viruses found: 7
Number of infected objects: 29 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:37:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-331ff46c-55774b56.zip/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-331ff46c-55774b56.zip/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-331ff46c-55774b56.zip/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-331ff46c-55774b56.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-78e9f018-7fdbf17a.zip/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-78e9f018-7fdbf17a.zip/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-78e9f018-7fdbf17a.zip/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-78e9f018-7fdbf17a.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8d65b1f830a114ab330887cff9f40022_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01022007-154235.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Luca\Cookies\luca@player2.morpheus.dave[2].txt Object is locked skipped
C:\Documents and Settings\Luca\Local Settings\Temp\qcoxcaeh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-143d1f0c-56946b02.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-20bb343d-4db70cde.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-253803cf-6fd73a69.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-2c607b98-188d8cc4.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-282f9173.zip/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-282f9173.zip/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-282f9173.zip/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-282f9173.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Steve\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steve\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\System\Mapi\1033\NT\oo.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\Program Files\InstallShield Installation Information\{0E3469E7-E33A-4A79-99B7-24883BE62EC9}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{D130E8E3-C39F-4572-A622-8636BBB09865}\Setup.ilg Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\pspvideo9\settings.xml Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc1.mpeg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc104\AlbumArtSmall.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc104\AlbumArt_{5C59786F-720B-4DC8-B8DE-18BC0B8C1658}_Large.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc104\AlbumArt_{5C59786F-720B-4DC8-B8DE-18BC0B8C1658}_Small.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc104\desktop.ini Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc104\Folder.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc104\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc106.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc107.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc11.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc16.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc17.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc18.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc19.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc2.avi Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc21.avs Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc22.avs Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc23.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc24.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc25.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc26.html Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc27.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc28.ini Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc29.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc3.avi Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc30.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc31.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc32.dll Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc33.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc34.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc35.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc36.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc37.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc38.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc39.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc4.asx Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc40.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc41.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc5.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc6.mpeg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc69.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc7.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc70.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc71.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc72.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc73.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc74.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc75.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc76.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc77.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc78.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc79.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc80.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc81.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc82.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc83.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc84.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc85.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc86.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc87.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc88.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc89.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc90.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc91.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc92.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc93\AlbumArtSmall.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc93\AlbumArt_{9598667B-F31D-4CD9-8BAD-89765EFE59EC}_Large.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc93\AlbumArt_{9598667B-F31D-4CD9-8BAD-89765EFE59EC}_Small.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc93\desktop.ini Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc93\Folder.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc93\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc96\AlbumArtSmall.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc96\AlbumArt_{9149DFEF-2A13-4F41-BB6C-E77D750619A6}_Large.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc96\AlbumArt_{9149DFEF-2A13-4F41-BB6C-E77D750619A6}_Small.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc96\desktop.ini Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc96\Folder.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc96\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc97\AlbumArtSmall.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc97\AlbumArt_{9149DFEF-2A13-4F41-BB6C-E77D750619A6}_Large.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc97\AlbumArt_{9149DFEF-2A13-4F41-BB6C-E77D750619A6}_Small.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc97\desktop.ini Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc97\Folder.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc97\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-3632123978-368861370-2758751740-1009\Dc98\1086.mp3 Object is locked skipped
C:\VundoFix Backups\hfmikesk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\hpfyqpxh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\ljuncnsv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\VundoFix Backups\mljjj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\mualtsaa.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\nvouovjs.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\rngokkun.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant SmartHSFi V.9x 56K DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_708.dat Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\DOCUME~1\Luca\net.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\_OTMoveIt\MovedFiles\DOCUME~1\Luca\net.exe NSIS: infected - 1 skipped
C:\_OTMoveIt\MovedFiles\DOCUME~1\Luca\oo.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\pojxekvf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

Scan process completed.


ComboFix:
"Steve" - 07-04-27 14:38:22 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Steve\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 ))))))))))))))))))))))))))))))))))


2007-04-27 12:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-04-27 12:22 <DIR> d-------- C:\Program Files\CCleaner
2007-04-26 14:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-24 18:24 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2007-04-24 18:23 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-04-24 15:42 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-24 15:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-04-24 15:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-04-24 15:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-04-23 15:36 <DIR> d-------- C:\DOCUME~1\Steve\APPLIC~1\Lavasoft
2007-04-23 15:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-23 15:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-17 22:13 1,308,216 --a------ C:\Program Files\HiJackThis_v2.exe
2007-04-14 11:56 83,536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-04-14 11:56 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-04-14 11:56 59,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-04-14 11:56 52,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-04-14 11:56 39,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-04-14 11:56 26,064 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-04-14 11:56 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-04-14 11:56 <DIR> d-------- C:\DOCUME~1\Steve\APPLIC~1\PC Tools
2007-04-11 22:08 <DIR> d-------- C:\VundoFix Backups
2007-04-11 20:44 <DIR> d-------- C:\Program Files\RogueRemover
2007-04-09 19:35 <DIR> d-------- C:\DOCUME~1\KIMBER~1\Contacts
2007-04-08 22:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-04 21:04 <DIR> d-------- C:\DOCUME~1\Luca\APPLIC~1\SopCast


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-27 09:12 -------- d-------- C:\Program Files\google
2007-04-26 14:59 -------- d--h----- C:\Program Files\installshield installation information
2007-04-14 15:34 -------- d-------- C:\Program Files\vcom
2007-04-13 22:34 -------- d-------- C:\Program Files\msn messenger
2007-04-01 22:27 359808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
2007-03-30 19:24 -------- d-------- C:\Program Files\dell aio printer a920
2007-03-17 14:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-05 21:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll
2007-02-03 18:50 81920 --a------ C:\WINDOWS\SYSTEM32\w32n50.dll
2007-02-03 18:50 17134 --a------ C:\WINDOWS\SYSTEM32\pcandis5.sys
2007-01-28 16:16 44544 --a------ C:\WINDOWS\SYSTEM32\msxml4a.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\Windows Live Toolbar\msntb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"4oD"="\"C:\\Program Files\\Kontiki\\KHost.exe\" -all"
"lsass"=""
"SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"kdx"="C:\\Program Files\\Kontiki\\KHost.exe -all"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\start.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-27 14:46:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-27 14:47:18
C:\ComboFix-quarantined-files.txt ... 07-04-27 14:47
C:\ComboFix2.txt ... 07-04-26 14:10
C:\ComboFixlog.txt ... 07-04-26 14:19

Finally HiJack This
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:52:29, on 27/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Intellisync Lite for NEC 616.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: NTLSignup - https://tesco.autore...o/NTLSignup.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103472275921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161814639253
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.co...er/MFImgVwr.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{4775387C-251E-4CDF-9232-2D075861E6E5}: NameServer = 192.168.0.100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 10690 bytes


Everything is still running smoothly - no annoying popups etc. I looked for Spyware Bot but could not find it - Could it be named Spybot search and destroy? Is this the same thing?

Anyway thanks again for the continued support, it really is appreciated, it's really nice to know that there are people out there like yourselves who are willing to help.
Hopefully we can get the last of this stuff cleared up.
Thanks again
Steve

#7 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 30 April 2007 - 11:33 PM

Hi Steve, :wave:

Iím sorry for my late reply. I had lost my Internet access for the last 5 days! :(

And, youíre most welcome, Steve. :)

I looked for Spyware Bot but could not find it - Could it be named Spybot search and destroy? Is this the same thing?

Nope, those are different programs. The former is a rogue program, while the latter is perfectly legit. :)

OK, letís pick up those leftovers.

Please launch OTMoveIt:
  • Double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-331ff46c-55774b56.zip
    C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-331ff46c-55774b56.zip
    C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-331ff46c-55774b56.zip
    C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-78e9f018-7fdbf17a.zip
    C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-78e9f018-7fdbf17a.zip
    C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-78e9f018-7fdbf17a.zip
    C:\Documents and Settings\Luca\Local Settings\Temp\qcoxcaeh.dll
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-143d1f0c-56946b02.class
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-20bb343d-4db70cde.class
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-253803cf-6fd73a69.class
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-2c607b98-188d8cc4.class
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-282f9173.zip
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-282f9173.zip
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-282f9173.zip
    C:\Program Files\Common Files\System\Mapi\1033\NT\oo.exe
    C:\Program Files\SpywareBot


  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:

    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

We need to disable your Windows Defender real-time protection as it may interfere with the fixes that we need to make.

To disable Windows Defender:
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe Ėboot



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"lsass"=-
"SpywareBot"=-


Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The OTMoveIt log.
  • A new HijackThis log.
How are things running now? Please let me know of any persistent problems or suspicious behaviour on your machine.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#8 sussexstev

sussexstev

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 May 2007 - 04:58 PM

Hi Sempurna
No problems with waiting - I'm a patient kind of a guy (plus we do have a laptop so the kids have still been able to surf without too much fighting over whose turn it is) :rolleyes:
I would have offered to help with your internet connection but I guess you know a bit more than me :D
Anyway here's the OTMoveit Log:
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-331ff46c-55774b56.zip moved successfully.
File/Folder C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-331ff46c-55774b56.zip not found.
File/Folder C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-331ff46c-55774b56.zip not found.
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-78e9f018-7fdbf17a.zip moved successfully.
File/Folder C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-78e9f018-7fdbf17a.zip not found.
File/Folder C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-78e9f018-7fdbf17a.zip not found.
DllUnregisterServer procedure not found in C:\Documents and Settings\Luca\Local Settings\Temp\qcoxcaeh.dll
C:\Documents and Settings\Luca\Local Settings\Temp\qcoxcaeh.dll NOT unregistered.
C:\Documents and Settings\Luca\Local Settings\Temp\qcoxcaeh.dll moved successfully.
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-143d1f0c-56946b02.class moved successfully.
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-20bb343d-4db70cde.class moved successfully.
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-253803cf-6fd73a69.class moved successfully.
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-2c607b98-188d8cc4.class moved successfully.
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-282f9173.zip moved successfully.
File/Folder C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-282f9173.zip not found.
File/Folder C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-282f9173.zip not found.
C:\Program Files\Common Files\System\Mapi\1033\NT\oo.exe moved successfully.
File/Folder C:\Program Files\SpywareBot not found.

Created on 05/01/2007 22:36:35

And here is the latest Hijack This log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:48:15, on 01/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Intellisync Lite for NEC 616.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: NTLSignup - https://tesco.autore...o/NTLSignup.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103472275921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161814639253
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.co...er/MFImgVwr.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{4775387C-251E-4CDF-9232-2D075861E6E5}: NameServer = 192.168.0.100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 10684 bytes


Thanks sooo much for all the fantastic help so far. And thanks for keeping it simple for me - it's been really easy to follow and I feel i've learnt some stuff along the way (I won't try using it on my own of course ):cool:

PC is running ok - in fact seems to boot up and load IE more quickly than I can remember, no probs with any other infections or pop ups etc.

Hope to hear from you soon
Thanks again
Steve.

Edited by sussexstev, 01 May 2007 - 05:01 PM.


#9 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 02 May 2007 - 01:21 AM

Hi Steve, :wave:

Youíre most welcome, Steve. :)

Everything looks great --- your HijackThis log appears to be clean. :)

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Windows Updates (a must!)
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.

  • Firewall (a must!)
    It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
    Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.

  • Also make sure to run your antivirus software regularly, and to keep it up-to-date.

  • SpywareBlaster
    This is a great FREE prevention tool to keep nasties from installing on your system.
    Tutorial: How to use!

  • IE-SPYAD
    This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    Tutorial: How to use!

  • Spybot - Search & Destroy
    This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
    Tutorial: How to use!

  • Ad-Aware SE
    This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
    Tutorial: How to use!

  • AVG Anti-Spyware
    This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
    User Manual: How to use!

  • SUPERAntiSpyware
    This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
    Quick Guide: How to use!
Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

Hopefully this should take care of your problems! Good luck! :D
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#10 sussexstev

sussexstev

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 May 2007 - 03:56 PM

Hi Sempurna
Thanks again for all the fantastic help you have given me.
PC is running better than ever (probably cleaned out a few things that had been there a while :thumbsup: )
Will give Comodo and SuperAntiSpware a try. Thanks for the recommendations.
Have used AVG for the last 6 years or so and this is the first time we've had something as nasty as this infection - kids under no illusion now about opening attachments :!:
Thanks again
4 very happy users in the UK :D

ps will definitely be making a donation to help the site going.
Any other users reading this who have been helped by the good people on the site please do the same.

Seems a strange thing to say but hope I don't need you guys again.
Still i'll know where to come if I do need help.
Thanks and goodbye :wave:

#11 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 04 May 2007 - 04:55 AM

You're most welcome, Steve. :)

Have a good one!
~ Sempurna :wave:
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#12 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 28 May 2007 - 06:11 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button