Tech Support Guy banner
Cancel

Solved: C:/secure32.html problem !!!

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 15 of 15 Posts
M

· Registered
Joined
·
230 Posts
Discussion Starter · #1 ·
When I am trying to open IE I am having this pop up menu: cannot 'find file:///c:/secure32.html'. Make sure the path or Internet address is correct.

Here is the HJ log

Logfile of HijackThis v1.99.1
Scan saved at 2:19:12 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msasvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\cjyvmpqr.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Common Files\{B0CF23F6-03E8-1033-0215-000620200001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Anti-SPAM Guard 3.2] "C:\Program Files\Business Solutions\Anti-SPAM Guard 3.2\AntiSPAM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [cjyvmpqr.exe] C:\WINDOWS\system32\cjyvmpqr.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [{B0CF23F6-03E8-1033-0215-000620200001}] "C:\Program Files\Common Files\{B0CF23F6-03E8-1033-0215-000620200001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160686440202
O17 - HKLM\System\CCS\Services\Tcpip\..\{4997BF94-F447-4177-A74C-44BA01170B4C}: NameServer = 194.158.37.196 194.158.37.211
O17 - HKLM\System\CS1\Services\Tcpip\..\{4997BF94-F447-4177-A74C-44BA01170B4C}: NameServer = 194.158.37.196 194.158.37.211
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O20 - Winlogon Notify: wintts32 - C:\WINDOWS\SYSTEM32\wintts32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
 
JSntgRvr

· Retired Moderator and Malware Specialist
Joined
·
18,546 Posts
First Name -
José
#2 ·
Hi, miniman. :)

Welcome to TSG.

Please download SmitfraudFix (by S!Ri) to your Desktop.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Perform the following steps in safe mode:


  1. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  5. If you have any infections you will prompted, then select "Apply all actions"
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  8. Close AVG Anti-Spyware .
While in Safe Mode, double-click on SmitfraudFix.exe

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

* Go to Control Panel > Internet Options. Click on the Programs tab, then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" Delete everything except for "My Current Home Page". Click OK then Apply and OK.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post a fresh Hijackthis log along with the AVG Anti-spyware report, ActiveScan report and contents of C:\rapport.txt produced by Smitfraudfix.
 
Save Share
M

· Registered
Joined
·
230 Posts
Discussion Starter · #3 ·
Logfile of HijackThis v1.99.1
Scan saved at 11:19:25 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\cjyvmpqr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\idd22.tmp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TEMP\idd23B.tmp.exe
C:\WINDOWS\TEMP\idd245.tmp.exe
C:\WINDOWS\TEMP\idd277.tmp.exe
C:\WINDOWS\TEMP\idd381.tmp.exe
C:\WINDOWS\TEMP\win21.tmp.exe
C:\WINDOWS\TEMP\idd401.tmp.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page

= http://www.yahoo.com/
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} -

C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class -

{A5366673-E8CA-11D3-9CD9-0090271D075B} -

C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar -

{E0E899AB-F487-11D5-8D29-0050BA6940E3} -

C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F}

- c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Anti-SPAM Guard 3.2] "C:\Program

Files\Business Solutions\Anti-SPAM Guard 3.2\AntiSPAM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [cjyvmpqr.exe]

C:\WINDOWS\system32\cjyvmpqr.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program

Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [IpWins] C:\Program

Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run:

[BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program

Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk =

C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet -

C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All Files by HiDownload

- C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload -

C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Download using FlashGet -

C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: HiDownload -

{F4FBA929-A891-492C-A0F6-5C79CC4F1742} -

C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86

/client/wuweb_site.cab?1160686440202
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan

Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{4997BF94-F447-4177-A74C-44B

A01170B4C}: NameServer = 194.158.37.196 194.158.37.211
O17 -

HKLM\System\CS1\Services\Tcpip\..\{4997BF94-F447-4177-A74C-44B

A01170B4C}: NameServer = 194.158.37.196 194.158.37.211
O18 - Protocol: livecall -

{828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F}

- C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: partnershipreg - C:\Documents and

Settings\All Users\Documents\Settings\partnership.dll (file

missing)
O20 - Winlogon Notify: wintts32 -

C:\WINDOWS\SYSTEM32\wintts32.dll
O21 - SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk -

C:\Program Files\Common Files\Autodesk

Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware

Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner -

C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file

missing)
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) -

Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
 
M

· Registered
Joined
·
230 Posts
Discussion Starter · #4 ·
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:23:35 PM 1/12/2007

+ Scan result:

C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AutoSys -> Adware.Generic : Error during cleaning.
HKU\S-1-5-21-436374069-113007714-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4D74AAA-A178-4463-846B-B4BC87A024E0} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Ipwindows\ipwins.dll -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Program Files\Ipwindows\ipwins.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP145\A0083529.dll -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP145\A0083530.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP92\A0077984.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{B0CF23F6-03E8-1033-0215-000620200001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{B0CF23F6-03E8-1033-0215-000620200001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP92\A0077911.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP92\A0077916.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP116\A0080628.dll -> Adware.Thingies : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078415.exe -> Adware.VirusBurst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078515.exe -> Adware.VirusBurst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP95\A0078117.exe -> Adware.VirusBurst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP96\A0078171.exe -> Adware.VirusBurst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP97\A0078225.exe -> Adware.VirusBurst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078279.exe -> Adware.VirusBurst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP99\A0078360.exe -> Adware.VirusBurst : Cleaned with backup (quarantined).
C:\Program Files\eMule\Incoming\WinXP.Keychanger (SP1).Keygen (SP2).Product Key Viewer.rar/WinXP.Keychanger (SP1).Keygen (SP2).Product Key Viewer\MS Windows XP SP 2 And Office KeyGen.exe -> Backdoor.Tagent.e : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd478.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd5.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddA.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\system32\svchosts.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\Documents and Settings\user\Local Settings\Temp\winF4.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
C:\Documents and Settings\user\Local Settings\Temp\winF8.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP143\A0083491.exe -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP92\A0077985.dll -> Downloader.Small.ece : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078418.exe -> Downloader.Zlob.avy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078506.exe -> Downloader.Zlob.avy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP95\A0078125.exe -> Downloader.Zlob.avy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP96\A0078179.exe -> Downloader.Zlob.avy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP97\A0078233.exe -> Downloader.Zlob.avy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078287.exe -> Downloader.Zlob.avy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP99\A0078363.exe -> Downloader.Zlob.avy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078403.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078419.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078453.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078461.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078471.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078485.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078495.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078504.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078505.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP94\A0078103.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP95\A0078111.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP96\A0078181.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP97\A0078222.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP97\A0078235.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078276.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078289.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078323.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078330.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078340.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP99\A0078352.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP99\A0078364.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP99\A0078398.exe -> Downloader.Zlob.bcp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078417.exe -> Downloader.Zlob.bda : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078507.exe -> Downloader.Zlob.bda : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP95\A0078124.exe -> Downloader.Zlob.bda : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP96\A0078178.exe -> Downloader.Zlob.bda : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP97\A0078232.exe -> Downloader.Zlob.bda : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078286.exe -> Downloader.Zlob.bda : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP99\A0078362.exe -> Downloader.Zlob.bda : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078404.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078454.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078462.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078472.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078486.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078496.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078508.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP94\A0078102.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP95\A0078112.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP96\A0078169.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP97\A0078223.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078277.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078324.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078331.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078341.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP99\A0078353.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP99\A0078399.dll -> Downloader.Zlob.bdb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP95\A0078120.dll -> Downloader.Zlob.bem : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP96\A0078174.dll -> Downloader.Zlob.bem : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP97\A0078228.dll -> Downloader.Zlob.bem : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078282.dll -> Downloader.Zlob.bem : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078333.dll -> Downloader.Zlob.bem : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP92\A0077983.exe -> Dropper.DollarR.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP145\A0083557.dll -> Logger.Delf.mk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078411.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078512.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078513.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078514.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP96\A0078175.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP97\A0078229.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078283.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078335.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP99\A0078350.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP100\A0078420.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP96\A0078182.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP97\A0078236.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP98\A0078290.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0725CF7D-5022-4096-9CCF-644CBEDE44F6}\RP99\A0078365.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvjug.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).
:mozilla.120:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.231:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.240:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.294:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.312:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.336:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.49:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.50:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.51:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.52:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.53:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.54:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.55:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.56:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.57:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.58:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.74:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.75:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.558:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.559:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.83:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.84:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.32:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.532:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.113:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.527:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.137:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.138:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.139:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.140:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.121:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.43:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.44:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.572:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.573:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.333:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.334:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.335:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.343:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.79:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.80:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.81:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.82:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.359:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.360:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.364:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.365:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.393:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.112:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.400:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.401:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.402:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.403:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.404:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.132:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.133:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.134:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.135:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.445:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.447:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.448:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.465:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.466:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.31:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.385:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.386:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.526:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
[220] C:\Documents and Settings\All Users\Documents\Settings\partnership.dll -> Trojan.Agent.oh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msasvc.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\autosys.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end
 
M

· Registered
Joined
·
230 Posts
Discussion Starter · #5 ·
SmitFraudFix v2.132

Scan done at 21:26:34.62, Fri 01/12/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End
 
M

· Registered
Joined
·
230 Posts
Discussion Starter · #6 ·
Incident Status Location

Dialer:Dialer.ISM Not disinfected C:\WINDOWS\TEMP\idd22.tmp.exe
Virus:trj/torpig.a Disinfected Operating system
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mzmii8aj.default\cookies.txt[hc2.humanclick.com/hc/35222379]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Cookies\[email protected][2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\user\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Dialer:Dialer.ISL Not disinfected C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WLS5UPKX\srvswm[1].exe
Dialer:Dialer.ISM Not disinfected C:\WINDOWS\Temp\idd23B.tmp.exe
Dialer:Dialer.ISM Not disinfected C:\WINDOWS\Temp\idd245.tmp.exe
Dialer:Dialer.ISM Not disinfected C:\WINDOWS\Temp\idd277.tmp.exe
Dialer:Dialer.ISM Not disinfected C:\WINDOWS\Temp\idd381.tmp.exe
Dialer:Dialer.ISM Not disinfected C:\WINDOWS\Temp\iddF.tmp.exe
Dialer:Dialer.ISL Not disinfected C:\WINDOWS\Temp\win21.tmp.exe
Dialer:Dialer.ISL Not disinfected C:\WINDOWS\Temp\win23A.tmp.exe
Dialer:Dialer.ISL Not disinfected C:\WINDOWS\Temp\win274.tmp.exe
Dialer:Dialer.ISL Not disinfected C:\WINDOWS\Temp\win376.tmp.exe
Dialer:Dialer.ISL Not disinfected C:\WINDOWS\Temp\win477.tmp.exe
Dialer:Dialer.ISM Not disinfected C:\WINDOWS\Temp\__delete_on_reboot__i_d_d_5_._t_m_p_._e_x_e_
 
JSntgRvr

· Retired Moderator and Malware Specialist
Joined
·
18,546 Posts
First Name -
José
#7 ·
Hi, miniman :)

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [cjyvmpqr.exe] C:\WINDOWS\system32\cjyvmpqr.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WLS5UPKX\srvswm[1].exe
C:\WINDOWS\Temp\idd23B.tmp.exe
C:\WINDOWS\Temp\idd245.tmp.exe
C:\WINDOWS\Temp\idd277.tmp.exe
C:\WINDOWS\Temp\idd381.tmp.exe
C:\WINDOWS\Temp\iddF.tmp.exe
C:\WINDOWS\Temp\win21.tmp.exe
C:\WINDOWS\Temp\win23A.tmp.exe
C:\WINDOWS\Temp\win274.tmp.exe
C:\WINDOWS\Temp\win376.tmp.exe
C:\WINDOWS\Temp\win477.tmp.exe
C:\WINDOWS\Temp\__delete_on_reboot__i_d_d_5_._t_m_p_._e_x_e_
C:\WINDOWS\TEMP\idd401.tmp.exe
C:\WINDOWS\TEMP\idd22.tmp.exe
C:\WINDOWS\system32\cjyvmpqr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\SYSTEM32\wintts32.dll

Folders to delete:
C:\Program Files\Ipwindows
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
 
Save Share
M

· Registered
Joined
·
230 Posts
Discussion Starter · #8 ·
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mapagdfh

*******************

Script file located at: \??\C:\pbosoejc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WLS5UPKX\srvswm[1].exe not found!
Deletion of file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WLS5UPKX\srvswm[1].exe failed!

Could not process line:
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WLS5UPKX\srvswm[1].exe
Status: 0xc0000034

File C:\WINDOWS\Temp\idd23B.tmp.exe deleted successfully.
File C:\WINDOWS\Temp\idd245.tmp.exe deleted successfully.
File C:\WINDOWS\Temp\idd277.tmp.exe deleted successfully.
File C:\WINDOWS\Temp\idd381.tmp.exe deleted successfully.
File C:\WINDOWS\Temp\iddF.tmp.exe deleted successfully.
File C:\WINDOWS\Temp\win21.tmp.exe deleted successfully.
File C:\WINDOWS\Temp\win23A.tmp.exe deleted successfully.
File C:\WINDOWS\Temp\win274.tmp.exe deleted successfully.
File C:\WINDOWS\Temp\win376.tmp.exe deleted successfully.
File C:\WINDOWS\Temp\win477.tmp.exe deleted successfully.
File C:\WINDOWS\Temp\__delete_on_reboot__i_d_d_5_._t_m_p_._e_x_e_ deleted successfully.
File C:\WINDOWS\TEMP\idd401.tmp.exe deleted successfully.
File C:\WINDOWS\TEMP\idd22.tmp.exe deleted successfully.
File C:\WINDOWS\system32\cjyvmpqr.exe deleted successfully.
File C:\WINDOWS\system32\devldr32.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\wintts32.dll deleted successfully.
Folder C:\Program Files\Ipwindows deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
 
M

· Registered
Joined
·
230 Posts
Discussion Starter · #9 ·
Logfile of HijackThis v1.99.1
Scan saved at 1:06:43 AM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Anti-SPAM Guard 3.2] "C:\Program Files\Business Solutions\Anti-SPAM Guard 3.2\AntiSPAM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160686440202
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4997BF94-F447-4177-A74C-44BA01170B4C}: NameServer = 194.158.37.196 194.158.37.211
O17 - HKLM\System\CS1\Services\Tcpip\..\{4997BF94-F447-4177-A74C-44BA01170B4C}: NameServer = 194.158.37.196 194.158.37.211
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: wintts32 - wintts32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
 
JSntgRvr

· Retired Moderator and Malware Specialist
Joined
·
18,546 Posts
First Name -
José
#10 ·
Hi, miniman :)

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O20 - Winlogon Notify: wintts32 - wintts32.dll (file missing)

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
Save Share
M

· Registered
Joined
·
230 Posts
Discussion Starter · #11 ·
SDFix: Version 1.58

Sat 01/13/2007 - 11:09:08.09

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\user\Desktop\SDFix

Safe Mode:

Checking Services:

Name:

COM+ Messages
MsaSvc

Path:

"C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272
C:\WINDOWS\system32\msasvc.exe

COM+ Messages Deleted
MsaSvc Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting

Normal Mode:

Checking Files:

Files will be copied to Backups folder then removed:

C:\WINDOWS\Temp\idd24.tmp.exe - Deleted
C:\WINDOWS\Temp\idd4D.tmp.exe - Deleted
C:\WINDOWS\Temp\idd9B.tmp.exe - Deleted
C:\WINDOWS\Temp\iddBA.tmp.exe - Deleted
C:\WINDOWS\Temp\iddC0.tmp.exe - Deleted
C:\WINDOWS\Temp\win1.tmp - Deleted
C:\WINDOWS\Temp\win10.tmp - Deleted
C:\WINDOWS\Temp\win11.tmp - Deleted
C:\WINDOWS\Temp\win12.tmp - Deleted
C:\WINDOWS\Temp\win13.tmp - Deleted
C:\WINDOWS\Temp\win14.tmp - Deleted
C:\WINDOWS\Temp\win15.tmp - Deleted
C:\WINDOWS\Temp\win16.tmp - Deleted
C:\WINDOWS\Temp\win17.tmp - Deleted
C:\WINDOWS\Temp\win18.tmp - Deleted
C:\WINDOWS\Temp\win19.tmp - Deleted
C:\WINDOWS\Temp\win1A.tmp - Deleted
C:\WINDOWS\Temp\win1B.tmp - Deleted
C:\WINDOWS\Temp\win1C.tmp - Deleted
C:\WINDOWS\Temp\win1D.tmp - Deleted
C:\WINDOWS\Temp\win1E.tmp - Deleted
C:\WINDOWS\Temp\win1F.tmp - Deleted
C:\WINDOWS\Temp\win2.tmp - Deleted
C:\WINDOWS\Temp\win20.tmp - Deleted
C:\WINDOWS\Temp\win21.tmp - Deleted
C:\WINDOWS\Temp\win22.tmp - Deleted
C:\WINDOWS\Temp\win23.tmp - Deleted
C:\WINDOWS\Temp\win25.tmp - Deleted
C:\WINDOWS\Temp\win26.tmp - Deleted
C:\WINDOWS\Temp\win27.tmp - Deleted
C:\WINDOWS\Temp\win28.tmp - Deleted
C:\WINDOWS\Temp\win29.tmp - Deleted
C:\WINDOWS\Temp\win2A.tmp - Deleted
C:\WINDOWS\Temp\win2B.tmp - Deleted
C:\WINDOWS\Temp\win2C.tmp - Deleted
C:\WINDOWS\Temp\win2D.tmp - Deleted
C:\WINDOWS\Temp\win2E.tmp - Deleted
C:\WINDOWS\Temp\win2F.tmp - Deleted
C:\WINDOWS\Temp\win3.tmp - Deleted
C:\WINDOWS\Temp\win30.tmp - Deleted
C:\WINDOWS\Temp\win31.tmp - Deleted
C:\WINDOWS\Temp\win32.tmp - Deleted
C:\WINDOWS\Temp\win33.tmp - Deleted
C:\WINDOWS\Temp\win34.tmp - Deleted
C:\WINDOWS\Temp\win35.tmp - Deleted
C:\WINDOWS\Temp\win36.tmp - Deleted
C:\WINDOWS\Temp\win37.tmp - Deleted
C:\WINDOWS\Temp\win38.tmp - Deleted
C:\WINDOWS\Temp\win39.tmp - Deleted
C:\WINDOWS\Temp\win3A.tmp - Deleted
C:\WINDOWS\Temp\win3B.tmp - Deleted
C:\WINDOWS\Temp\win3C.tmp - Deleted
C:\WINDOWS\Temp\win3D.tmp - Deleted
C:\WINDOWS\Temp\win3E.tmp - Deleted
C:\WINDOWS\Temp\win3F.tmp - Deleted
C:\WINDOWS\Temp\win4.tmp - Deleted
C:\WINDOWS\Temp\win40.tmp - Deleted
C:\WINDOWS\Temp\win41.tmp - Deleted
C:\WINDOWS\Temp\win42.tmp - Deleted
C:\WINDOWS\Temp\win43.tmp - Deleted
C:\WINDOWS\Temp\win44.tmp - Deleted
C:\WINDOWS\Temp\win45.tmp - Deleted
C:\WINDOWS\Temp\win46.tmp - Deleted
C:\WINDOWS\Temp\win47.tmp - Deleted
C:\WINDOWS\Temp\win48.tmp - Deleted
C:\WINDOWS\Temp\win49.tmp - Deleted
C:\WINDOWS\Temp\win4A.tmp - Deleted
C:\WINDOWS\Temp\win4B.tmp - Deleted
C:\WINDOWS\Temp\win4C.tmp - Deleted
C:\WINDOWS\Temp\win4E.tmp - Deleted
C:\WINDOWS\Temp\win4F.tmp - Deleted
C:\WINDOWS\Temp\win5.tmp - Deleted
C:\WINDOWS\Temp\win50.tmp - Deleted
C:\WINDOWS\Temp\win51.tmp - Deleted
C:\WINDOWS\Temp\win52.tmp - Deleted
C:\WINDOWS\Temp\win53.tmp - Deleted
C:\WINDOWS\Temp\win54.tmp - Deleted
C:\WINDOWS\Temp\win55.tmp - Deleted
C:\WINDOWS\Temp\win56.tmp - Deleted
C:\WINDOWS\Temp\win57.tmp - Deleted
C:\WINDOWS\Temp\win58.tmp - Deleted
C:\WINDOWS\Temp\win59.tmp - Deleted
C:\WINDOWS\Temp\win5A.tmp - Deleted
C:\WINDOWS\Temp\win5B.tmp - Deleted
C:\WINDOWS\Temp\win5C.tmp - Deleted
C:\WINDOWS\Temp\win5D.tmp - Deleted
C:\WINDOWS\Temp\win5E.tmp - Deleted
C:\WINDOWS\Temp\win5F.tmp - Deleted
C:\WINDOWS\Temp\win6.tmp - Deleted
C:\WINDOWS\Temp\win60.tmp - Deleted
C:\WINDOWS\Temp\win61.tmp - Deleted
C:\WINDOWS\Temp\win62.tmp - Deleted
C:\WINDOWS\Temp\win63.tmp - Deleted
C:\WINDOWS\Temp\win64.tmp - Deleted
C:\WINDOWS\Temp\win65.tmp - Deleted
C:\WINDOWS\Temp\win66.tmp - Deleted
C:\WINDOWS\Temp\win67.tmp - Deleted
C:\WINDOWS\Temp\win68.tmp - Deleted
C:\WINDOWS\Temp\win69.tmp - Deleted
C:\WINDOWS\Temp\win7.tmp - Deleted
C:\WINDOWS\Temp\win75.tmp - Deleted
C:\WINDOWS\Temp\win76.tmp - Deleted
C:\WINDOWS\Temp\win77.tmp - Deleted
C:\WINDOWS\Temp\win78.tmp - Deleted
C:\WINDOWS\Temp\win8.tmp - Deleted
C:\WINDOWS\Temp\win81.tmp - Deleted
C:\WINDOWS\Temp\win82.tmp - Deleted
C:\WINDOWS\Temp\win83.tmp - Deleted
C:\WINDOWS\Temp\win84.tmp - Deleted
C:\WINDOWS\Temp\win9.tmp - Deleted
C:\WINDOWS\Temp\win97.tmp - Deleted
C:\WINDOWS\Temp\win98.tmp - Deleted
C:\WINDOWS\Temp\win99.tmp - Deleted
C:\WINDOWS\Temp\win9A.tmp - Deleted
C:\WINDOWS\Temp\win9F.tmp - Deleted
C:\WINDOWS\Temp\winA.tmp - Deleted
C:\WINDOWS\Temp\winB.tmp - Deleted
C:\WINDOWS\Temp\winC.tmp - Deleted
C:\WINDOWS\Temp\winD.tmp - Deleted
C:\WINDOWS\Temp\winE.tmp - Deleted
C:\WINDOWS\Temp\winF.tmp - Deleted

Could Not Remove C:\PROGRA~1\GRISOFT\AVGANT~1.5\GUARD.EXE !

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

Remaining Files:
---------------
C:\PROGRA~1\GRISOFT\AVGANT~1.5\GUARD.EXE

Backups Folder: - C:\DOCUME~1\user\Desktop\SDFix\backups\backups.zip

Listing Files with hidden attributes:

C:\NTDETECT.COM
C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll
C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\user\Desktop\~WRL0001.tmp
C:\Documents and Settings\user\Desktop\~WRL0003.tmp
C:\Documents and Settings\user\Desktop\~WRL0004.tmp

Finished
 
M

· Registered
Joined
·
230 Posts
Discussion Starter · #12 ·
Logfile of HijackThis v1.99.1
Scan saved at 11:19:36 AM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Anti-SPAM Guard 3.2] "C:\Program Files\Business Solutions\Anti-SPAM Guard 3.2\AntiSPAM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160686440202
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4997BF94-F447-4177-A74C-44BA01170B4C}: NameServer = 194.158.37.196 194.158.37.211
O17 - HKLM\System\CS1\Services\Tcpip\..\{4997BF94-F447-4177-A74C-44BA01170B4C}: NameServer = 194.158.37.196 194.158.37.211
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
 
JSntgRvr

· Retired Moderator and Malware Specialist
Joined
·
18,546 Posts
First Name -
José
#13 ·
Hi, miniman :)

The log looks clear. How is the computer doing?
 
Save Share
JSntgRvr

· Retired Moderator and Malware Specialist
Joined
·
18,546 Posts
First Name -
José
#15 ·
Hi, miniman. :)

Congratulations.


Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Create a Restore point:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  5. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  6. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  8. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  9. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Click Here for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "Solved".

Best wishes!
 
Save Share
1 - 15 of 15 Posts
Status
Not open for further replies.
About this Discussion
14 Replies
2 Participants
Last post:
JSntgRvr
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top