I need help!!! Slow Computer recovering from I-worm/VB.CC Virus

i_hate_search_assistant · October 2005

Help!

I had or still have the VB.CC worm virus. I followed a posting that told me to d/l Ewido Security Suite and Clean Up...I went into safe mode...as directed and ran both. I'm having problems with my IE where if I open up a link into another IE window it freezes and shuts down IE altogether. I've also lost my Windows XP display settings and it's now resorted back to the "classic" windows style. (the display settings are the least of my worries, but this all happened around the same time so I figured I'd include it) Everything is slow slow slow! I don't even know where to begin to fix my problems! I'm hoping I got rid of the virus and am now just having hardware issues...things are locking up all the time and I've had to reboot so many times I've lost count!

Please Help!
Thanks in advance!
B

lemonlime · October 2005

Hello,

I'd venture a guess that there are still some nasties resident in memory, which we need to address.

Could you please follow the instructions in this thread, and post a HJT log file? All the information on how to do that can be found here:

http://www.short-media.com/forum/showthread.php?t=14915

Thanks, hopefully we can get this resolved for you..

i_hate_search_assistant · October 2005

Thanks for replying so quickly your help is MUCH appreciated!

So I ran ad-aware and spy bot (I already had both on my computer from previous "issues" as you can tell by my name) then ran hijack this and here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 6:38:13 PM, on 10/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
E:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay107.hotmail.msn.com/cgi-bin/hmhome?fti=yes&curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=d8484441591c407c0b4f34acd47807459e0568451b064006e098dcac41b97e38
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - E:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\mllmk.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109833549822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: mllmk - C:\WINDOWS\System32\mllmk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Hope you can make sense of it..I never could

I noticed something with regards to Ipod....I don't even have an Ipod?! Wish I did though!
Hope to hear back from you soon!
B

lemonlime · October 2005

Hello,

There are a few items that should be addressed in your HJT log. Please do the following:

1) 'Fix' the following items in HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay107.hotmail.msn.c...098dcac41b97e38

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\mllmk.dll

O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe" <--this one is not critical, but it does not need to run at startup and is wasting your resources.

O20 - Winlogon Notify: mllmk - C:\WINDOWS\System32\mllmk.dll

Once those are fixed, Reboot Your Computer

2) Ensure that your system is setup to display 'hidden and system' files, by using the information here: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

3) Once those items are fixed in HJT, let's manually 'quarantine' the C:\WINDOWS\System32\mllmk.dll file. Use the instructions avaliable here to quarantine the file: http://www.short-media.com/forum/showpost.php?p=173532&postcount=5

4) Lets manually delete the C:\WINDOWS\System32\Searchx.htm file from your computer.

5) Run a full 'Ad-aware SE' scan. Allow Ad-aware to remove anything it finds. Instructions avaliable here: http://www.short-media.com/forum/showthread.php?t=14915

6) Post another HJT log file for us to take a look at..

BTW, That ipod service is standard issue with the 'iTunes' application. I wish I had an ipod too!

Best Regards,
Mike.

i_hate_search_assistant · October 2005

I did as you instructed and fixed the lines you noted.

I went to quarantine the file and I couldn't find it. I allowed viewing of hidden and system folders as you said but even when I went to the address directly it couldn't be found.

I'm not sure whether you wanted me to reboot or not. After I post this log I'll follow up with the rest of the instructions and repost my hjt log.
Thanks again for all your help!
Bethan

i_hate_search_assistant · October 2005

Heya...

So I rebooted and ran ad-aware SE deleted everything it found and re-ran hijack this. Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:46:34 PM, on 10/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - E:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\mllmk.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Yahoo! Pager] E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109833549822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: mllmk - C:\WINDOWS\System32\mllmk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Hope this is better!
Thanks again..
bethan

lemonlime · October 2005

Hi Bethan,

After reviewing your log a little more closely, it appears that you may have the Vundo trojan. Fixing it in the method I described will likely not do the trick. Buckeye_Sam posted a potential solution to another member a few months back that I'd like you to try.. Please follow the below instructions, and when finished, post another HJT log, and the results from the scan tool listed below.

Thanks,
Mike

Buckeye_Sam wrote:

You have the New Vundo B infection.

# Download the FxVundoB.exe file from: http://securityresponse.symantec.com/avcenter/FxVundoB.exe.
# Save the file to a convenient location, such as your Windows desktop.
# Close all the running programs.
# If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
# Restart in safe mode

Restart safe mode Windows XP
Restart your computer, and begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

# Locate the file that you just downloaded.
# Double-click the FxVundoB.exe file to start the removal tool.
# Click Start to begin the process, and then allow the tool to run.
# Run the removal tool again to ensure that the system is clean.
# Restart the computer.
# If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.

Scan again with HJT, with all browsers and windows closed, and post the log in this thread, along with the report from the Symantec tool.

i_hate_search_assistant · October 2005

Hey...

Sorry I didn't get back to you sooner...I'm in Canada too so I spent most of the day with my family.

I ran both programs....the remover twice and hjt once. Here are the results.

Symantec Trojan.Vundo.B Removal Tool 1.0.0

Trojan.Vundo.B has not been found on your computer.

So I don't know whether that's a good thing...or a bad thing!
Here's the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:22:29 AM, on 10/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay107.hotmail.msn.com/cgi-bin/hmhome?fti=yes&curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=d8484441591c407c0b4f34acd4780745edda1ef87e9299be18acaa32791abde5
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - E:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\mllmk.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Yahoo! Pager] E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109833549822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: mllmk - C:\WINDOWS\System32\mllmk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

I hope this looks better...or if you see anything else...let me know what to do!
Thanks again!
Bethan

i_hate_search_assistant · October 2005

Hi Mike..

Thought I'd let you know...something called "Win Fixer" keeps popping up when I open IE. Does that mean anything in particular? It doesn't go away unless I 'x' it out...anything else just starts installing a program which obviously you don't want happening. Any ideas?

Hope to hear back from you soon....
Bethan

lemonlime · October 2005

Hi Bethan,

I'm from Toronto actually, so we had Thanksgiving this weekend also

I have seen the Winfixer before, and it is a bit of a pain to remove. But the below should work.

Below is a solution presented by 'Crunchie' to another forum member, that should work for you.. I have modified his solution below to work in your situation.. (I added the correct .dll files etc).

Please let me know how this goes

Crunchie wrote:

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to extract the files

This will create a VundoFix folder on your desktop.

After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning.
It should look like this

At this point press enter one time.

Next you will see:

At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\mllmk.dll

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:

[*]At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\kmllm.*

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay107.hotmail.msn.c...8acaa32791abde5

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\mllmk.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyPoker\PartyPoker.exe

O20 - Winlogon Notify: mllmk - C:\WINDOWS\System32\mllmk.dll

[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

i_hate_search_assistant · October 2005

Hi Mike...

So here goes...here's all the logs you wanted....

Vundo Log:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 148 'smss.exe'
Threads [152][156][160]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 728 'explorer.exe'
Killing PID 728 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 224 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.

Active Scan Log:

Incident Status Location

Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM32\atmpvcno.exe
Adware:adware/tubby No disinfected C:\WINDOWS\SYSTEM32\MTC.ini
Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkjo32.exe
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/ist.istbar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\istactivex.inf
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\alchem.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Dialer:dialer.bny No disinfected C:\WINDOWS\pcconfig.dat
Adware:adware/wintools No disinfected C:\PROGRAM FILES\COMMON FILES\BTLINK
Adware:adware/sidesearch No disinfected C:\Documents and Settings\David\Application Data\Lycos
Adware:adware/mediatickets No disinfected Windows Registry
Adware:Adware/PurityScan No disinfected C:\Program Files\hijackthis\backups\backup-20050304-002648-541.dll
Adware:Adware/FastFind No disinfected C:\RECYCLED\Dc2\v29.exe
Dialer:Dialer.VZ No disinfected C:\Setup.exe
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP255\A0038308.inf
Spyware:Spyware/ClearSearch No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP267\A0045747.EX_
Spyware:Spyware/ClearSearch No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP267\A0045747.EX_[A0045747.EXe]
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.INF
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\istactivex.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\efcab.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\mllkk.dll
Adware:Adware/Tubby No disinfected C:\WINDOWS\system32\MTC.ini
Adware:Adware/BrilliantDigitalNo disinfected E:\Program Files\Kazaa\bdcore.dll and finally the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:50:26 PM, on 10/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\PartyPoker\PartyPoker.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - E:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Yahoo! Pager] E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109833549822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Hope this helps!
Hope to hear from you soon,
Bethan

lemonlime · October 2005

Hi Bethan,

Fantastic, that solution I posted earlier corrected part of the problem. Hopefully the final cleanup now will go more smoothly. Your HJT log is now free of nasties. According to your Active Scan log, there are still quite a few ad/spy related files sitting idle on your PC.

I'd run a full Ad-aware SE scan, using the instructions avaliable here:
http://www.short-media.com/forum/showthread.php?t=14915

Allow Ad-aware to remove anything it finds. Once finished, run another active scan, and post the logs here.

Thanks,
Mike

i_hate_search_assistant · October 2005

Hey Mike

Here's the log from the active scan...not sure what other log you were looking for...I ran ad-aware also and deleted everything it found.

Incident Status Location

Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM32\atmpvcno.exe
Adware:adware/tubby No disinfected C:\WINDOWS\SYSTEM32\MTC.ini
Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkjo32.exe
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll I noticed kazaa on there and I haven't had that on my computer for years! Wondering how we can get rid of it?
Thanks!
Bethan
Adware:adware/ist.istbar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\istactivex.inf
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\alchem.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Dialer:dialer.bny No disinfected C:\WINDOWS\pcconfig.dat
Adware:adware/wintools No disinfected C:\PROGRAM FILES\COMMON FILES\BTLINK
Adware:adware/sidesearch No disinfected C:\Documents and Settings\David\Application Data\Lycos
Adware:adware/mediatickets No disinfected Windows Registry
Adware:Adware/PurityScan No disinfected C:\Program Files\hijackthis\backups\backup-20050304-002648-541.dll
Adware:Adware/FastFind No disinfected C:\RECYCLED\Dc2\v29.exe
Dialer:Dialer.VZ No disinfected C:\Setup.exe
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP255\A0038308.inf
Spyware:Spyware/ClearSearch No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP267\A0045747.EX_
Spyware:Spyware/ClearSearch No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP267\A0045747.EX_[A0045747.EXe]
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.INF
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\istactivex.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\efcab.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\mllkk.dll
Adware:Adware/Tubby No disinfected C:\WINDOWS\system32\MTC.ini
Adware:Adware/BrilliantDigitalNo disinfected E:\Program Files\Kazaa\bdcore.dll

lemonlime · October 2005

Hi Bethan,

Could you please manually quarantine the following files using the instructions contained within this link: http://www.short-media.com/forum/showpost.php?p=173532&postcount=5

Please restart your computer into safe mode to do this.

C:\WINDOWS\SYSTEM32\atmpvcno.exe
C:\WINDOWS\SYSTEM32\MTC.ini
C:\WINDOWS\SYSTEM32\sdkjo32.exe
C:\WINDOWS\SYSTEM32\vx.tll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\istactivex.inf
C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\pcconfig.dat
C:\Program Files\hijackthis\backups\backup-20050304-002648-541.dll
C:\RECYCLED\Dc2\v29.exe (empty your recycling bin to delete this one)
C:\Setup.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.INF
C:\WINDOWS\Downloaded Program Files\istactivex.inf
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\system32\efcab.dll
C:\WINDOWS\system32\mllkk.dll
C:\WINDOWS\system32\MTC.ini
E:\Program Files\Kazaa\bdcore.dll

Also, could you post a list of your installed applications from HJT (go to Config, then Misc Tools, Then 'Uninstall Manager'). Post that list in this thread.

Once you have quarantined those files. Restart your computer, run another active scan, and also post another HJT log..

Lots of stubborn stuff on there eh?

Hopefully we're getting closer to the end of this battle..

Best Regards,
Mike

i_hate_search_assistant · October 2005

Hi Mike...

Thanks again for all your help this must be getting tedious for you!

I had some issues quarantining some of the files you said to find. I just couldn't find them! Here's what I couldn't find:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.INF
C:\WINDOWS\Downloaded Program Files\istactivex.inf

and the C:\recycled\Dc2\v29.exe was not in my recycle bin nor could I find it anywhere on my computer.

Here are the logs as requested:

Uninstall List from HJT:

Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Reader 7.0
ArcSoft PhotoBase
ArcSoft PhotoStudio 2000
AVG Free Edition
Batch Assistant
Big Kahuna Reef
BlindWrite suite
Brother MFL Pro Suite
Caere Scan Manager 5.1
Canon ScanGear Toolbox CS 2.2
CleanUp!
Cool Edit Pro 2.0
DirectX 9 Hotfix - KB839643
ewido security suite
Hauppauge WinTV NT4/Win2000 Drivers
HijackThis 1.99.1
hp photosmart P1000 series
hp photosmart printer series (Remove only)
IE Host R3
IrfanView (remove only)
iTunes
Java 2 Runtime Environment, SE v1.4.2_04
LimeWire 4.9.30
LiveUpdate 2.5 (Symantec Corporation)
Logitech ImageStudio
Microsoft Data Access Components KB870669
Microsoft Office 2000 Premium
Monopoly Tycoon
MPIO Manager 2
MSN Add-in for Windows Messenger
MSN Messenger 7.0
MSN Toolbar
Network Play System (Patching)
NVIDIA Windows 2000/XP Display Drivers
OmniPage Pro 9.0
Outlook Express Q823353
Panda ActiveScan
PartyPoker
QuickTime
Shockwave
SiS 900 PCI Fast Ethernet Adapter Driver
SiS Audio Driver
Spybot - Search & Destroy 1.3
The Sims Superstar
Twistingo (remove only)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB887822
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP2) [See Q329115 for more information]
Yahoo! extras
Yahoo! Messenger

Active Scan Log:

Incident Status Location

Adware:adware/ist.istbar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\istactivex.inf
Adware:adware/mediatickets No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\Quarantine\alchem.iii.inf
Adware:Adware/PurityScan No disinfected C:\Quarantine\backup-20050304-002648-541.ddd
Adware:Adware/BrilliantDigitalNo disinfected C:\Quarantine\bdcore.ddd
Spyware:Spyware/BetterInet No disinfected C:\Quarantine\biini.iii.inf
Adware:Adware/StartPage.AIW No disinfected C:\Quarantine\efcab.ddd
Adware:Adware/StartPage.AIW No disinfected C:\Quarantine\mllkk.ddd
Adware:Adware/Tubby No disinfected C:\Quarantine\MTC.iii.ini
Dialer:Dialer.VZ No disinfected C:\Quarantine\Setup.xxx.exe
Adware:Adware/FastFind No disinfected C:\RECYCLED\Dc2\v29.exe
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP255\A0038308.inf
Spyware:Spyware/ClearSearch No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP267\A0045747.EX_
Spyware:Spyware/ClearSearch No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP267\A0045747.EX_[A0045747.EXe]
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP271\A0051648.inf
Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP271\A0051650.inf
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.INF
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\istactivex.inf
Adware:Adware/BrilliantDigitalNo disinfected E:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP271\A0051649.dll
and the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:21:48 AM, on 10/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - E:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Yahoo! Pager] E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109833549822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Hope you can make sense of this!
Talk to you soon,
Bethan

lemonlime · October 2005

Hi Bethan,

Slowly but surely, things are beginning to look better

Your HJT log is still looking nice and clean, but there are still some items sitting on your drive. Lets keep going here..

Firstly, lets start out by 'Uninstalling' the following from the Add/Remove programs menu in the control panel:

Batch Assistant <-- known spyware application
IE Host R3 <-- known adware, that displays advertising

Secondly, a lot of those 'Active Scan' items are actually stored as a result of your 'System Restore' save point in Windows XP. Follow the below instructions to disable and re-enable system restore. This will clear out those nasties sitting there. Simply disable it, and re-enable it. http://www.short-media.com/forum/showpost.php?p=172591&postcount=4

Could you also check to see if there is a 'C:\Recycled' folder. If there is, please delete it's contents. The real recycling bin should be called 'C:\RECYCLER'.

Thirdly, please follow the below instructions to address the 'mediatickets' registry item:

Crunchie wrote:

Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool. Type mediatickets in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them here.

I think we're almost there now. Things should be greatly improved after the above is done.

Once finished, please post an updated activescan log, along with a HJT log.

Thanks,
Mike

i_hate_search_assistant · October 2005

Hi Mike...

Here are the Logs as you requested...I can't see it making any difference...but then, that's why I came to you for help!
Thanks again!
Bethan

Registry Log:
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "mediatickets" 10/13/2005 8:40:04 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/MediaTicketsInstaller.ocx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/MediaTicketsInstaller.ocx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.3/MediaTicketsInstaller.ocx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]
"C:\\WINDOWS\\Downloaded Program Files\\MediaTicketsInstaller.ocx"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]
"C:\\WINDOWS\\Downloaded Program Files\\CONFLICT.1\\MediaTicketsInstaller.ocx"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]
"C:\\WINDOWS\\Downloaded Program Files\\CONFLICT.2\\MediaTicketsInstaller.ocx"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]
"C:\\WINDOWS\\Downloaded Program Files\\CONFLICT.3\\MediaTicketsInstaller.ocx"=dword:00000001

[HKEY_USERS\S-1-5-21-1645522239-1580436667-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0]
"goicfboogidikkejccmclpieicihhlpo ejemdn"="MediaTickets"

Active Scan Log:

Incident Status Location

Adware:adware/ist.istbar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\istactivex.inf
Adware:adware/mediatickets No disinfected Windows Registry
Virus:Trj/Vundo.B Disinfected C:\Program Files\hijackthis\backups\backup-20051008-144417-726.dll
Adware:Adware/IPInsight No disinfected C:\Quarantine\alchem.iii.inf
Adware:Adware/PurityScan No disinfected C:\Quarantine\backup-20050304-002648-541.ddd
Adware:Adware/BrilliantDigitalNo disinfected C:\Quarantine\bdcore.ddd
Spyware:Spyware/BetterInet No disinfected C:\Quarantine\biini.iii.inf
Adware:Adware/StartPage.AIW No disinfected C:\Quarantine\efcab.ddd
Adware:Adware/StartPage.AIW No disinfected C:\Quarantine\mllkk.ddd
Adware:Adware/Tubby No disinfected C:\Quarantine\MTC.iii.ini
Dialer:Dialer.VZ No disinfected C:\Quarantine\Setup.xxx.exe
Adware:Adware/FastFind No disinfected C:\RECYCLED\Dc2\v29.exe
Virus:Trj/Vundo.B Disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP273\A0053669.dll
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.INF
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\istactivex.inf
and finally the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:39:39 AM, on 10/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - E:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Yahoo! Pager] E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109833549822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

I was wondering...you kept asking me to "fix" a line on the HJT log...but it was my homepage on IE so everytime I did it my hompage comes up "about:Blank". Can I reset it back to what I had it without any issues?

Thanks for your help!
Bethan

i_hate_search_assistant · October 2005

Hi Mike...

Just wondering if you're still around...I haven't heard from you in a couple of days since my last post and things on my computer are getting worse.

I hope everything is ok. Hope to hear from you soon
Bethan

lemonlime · October 2005

i_hate_search_assistant wrote:

Hi Mike...

Just wondering if you're still around...I haven't heard from you in a couple of days since my last post and things on my computer are getting worse.

I hope everything is ok. Hope to hear from you soon
Bethan

Hi Bethan, sorry for the delay in getting back to you. I'll take a look at your logs right away.

Thanks,
Mike

lemonlime · October 2005

Hi Bethan,

On the contrary, things are looking much better from where I'm standing

We'll get this solved once and for all very soon.

1) Delete all of the contents of the C:\Quarantine folder. Nothing in there will be missed.

2) Make a full backup of your registry, using the instructions avaliable here:
http://www.techtricks.com/assorted/regbackup.php

3) I created two registry files (attached) that will automatically remove those 'MediaTickets' entries. Please be sure you made a backup (see previous step) before executing those files. Simply double click them and say 'Yes' when prompted. Please let me know if the second file (the one ending in 2) returns an error..

4) Please reboot into safe mode, and check again to see if you can find the following files:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.INF
C:\RECYCLED\Dc2\v29.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
C:\WINDOWS\Downloaded Program Files\istactivex.inf

If they are found, please delete them. I know you mentioned earlier that they were not there, but please check again in safe mode.

5) Reboot again into 'regular' mode, disable and re-enable system restore again (as described in previous post)

6) Re-run ad-aware, and activescan. Post results here. Remove anything that ad-aware finds.

7) Finally, post another HJT log.

P.S. Could you describe (in detail) what sort of problems your system is still experiencing?

Thanks,
Mike

i_hate_search_assistant · October 2005

Hi Mike

Sorry it's taken a bit but my computer's being really slow lately.

I deleted the Quarantine folder. I made a backup of the registry and ran the two files you gave me. The second one didn't return an error message.

I rebooted in safe mode and looked for those files again...I can't find them...all that's in the "dowloaded program files" folder is names of programs...no individual files or folders. I attempted to look up the "conflict.3" folder and said no such folder exists. There is no "Dc2" folder in "recycled" so I couldn't delete that one either.

I dis/re-enabled system restore and ran the scans as you requested here are the logs:

ACTIVE SCAN:

Incident Status Location

Adware:adware/ist.istbar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\istactivex.inf
Adware:adware/tubby No disinfected Windows Registry
Adware:Adware/FastFind No disinfected C:\RECYCLED\Dc2\v29.exe
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.INF
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\istactivex.inf

AD AWARE SCAN LOG:

Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, October 20, 2005 8:00:38 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R71 19.10.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):22 total references
Tracking Cookie(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

10-20-2005 8:00:38 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\David\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : C:\Documents and Settings\David\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run

MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1580436667-1060284298-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 448
ThreadCreationTime : 10-20-2005 11:51:27 PM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 508
ThreadCreationTime : 10-20-2005 11:51:54 PM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 532
ThreadCreationTime : 10-20-2005 11:51:54 PM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 576
ThreadCreationTime : 10-20-2005 11:51:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 588
ThreadCreationTime : 10-20-2005 11:51:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 752
ThreadCreationTime : 10-20-2005 11:51:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 824
ThreadCreationTime : 10-20-2005 11:51:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1008
ThreadCreationTime : 10-20-2005 11:51:59 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1024
ThreadCreationTime : 10-20-2005 11:51:59 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1156
ThreadCreationTime : 10-20-2005 11:52:01 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1288
ThreadCreationTime : 10-20-2005 11:52:08 PM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:12 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1300
ThreadCreationTime : 10-20-2005 11:52:08 PM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:13 [hphipm09.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1380
ThreadCreationTime : 10-20-2005 11:52:09 PM
BasePriority : Normal
FileVersion : 4, 5, 0, 770
ProductVersion : 4, 5, 0, 770
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:14 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1444
ThreadCreationTime : 10-20-2005 11:52:09 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:15 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1468
ThreadCreationTime : 10-20-2005 11:52:10 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1844
ThreadCreationTime : 10-20-2005 11:52:27 PM
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:17 [lvcoms.exe]
FilePath : C:\Program Files\Common Files\Logitech\QCDriver3\
ProcessID : 2040
ThreadCreationTime : 10-20-2005 11:52:31 PM
BasePriority : Normal
FileVersion : 7.3.0.1113
ProductVersion : 7.3.0.1113
ProductName : Logitech ImageStudio
CompanyName : Logitech Inc.
FileDescription : LVCom Server
InternalName : LVComS.exe
LegalCopyright : (c) 1996-2002 Logitech. All rights reserved.
OriginalFilename : LVComS.exe

#:18 [point32.exe]
FilePath : C:\Program Files\Microsoft Hardware\Mouse\
ProcessID : 184
ThreadCreationTime : 10-20-2005 11:52:32 PM
BasePriority : Normal

#:19 [ypager.exe]
FilePath : E:\PROGRA~1\YAHOO!\MESSEN~1\
ProcessID : 276
ThreadCreationTime : 10-20-2005 11:52:33 PM
BasePriority : Normal

#:20 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 1636
ThreadCreationTime : 10-20-2005 11:57:49 PM
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:21 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 708
ThreadCreationTime : 10-21-2005 12:00:22 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email]david@live365[1].txt[/email]
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:david@live365.com/
Expires : 10-23-2010 6:03:46 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 23

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 23

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

8:29:46 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:29:08.324
Objects scanned:143082
Objects identified:1
Objects ignored:0
New critical objects:1

and finally the HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 10:07:52 PM, on 10/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - E:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Yahoo! Pager] E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109833549822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Here is the list of what's going on with my computer:

1. Restarting the computer takes an age, I've cut down on the number of programs to boot up and on my desktop icons but it doesn't seem to help.

2. Many of the programs I run end up "not responding" and I have to force them closed and restart them again for them to work properly. The programs include: IE, Outlook, Word and a photoshop program I use for work. I may have fixed the Outlook and Word situation by upgrading to office 2003 and d/ling the updates necessary from Microsoft. I'm still waiting to see what happens.

3. I'm getting popups when I go onto the internet...I've deleted the popup blocker I had since it was shutting down IE previously...can I find one that will stop them without disrupting my internet usage?

4. Sometimes when I open up a window (control panel for instance) and then close it again part of the window remains as a "background" and doesn't actually resort back to my desktop background. It's happened several times and if I wait a bit it goes away but I'm still thinking of it as an issue?!

5. Finally...I still don't have my XP display settings. I'm running on what would look to be '98 or 2000 windows or "classic windows settings" There isn't even an option in the Display section that allows me to select my old settings or XP colours (either blue and green or the silver). It's not really a big deal...but as long as it's like this I'm assuming something is just not right.

Let me know what my next step is...most of these issues are probably memory issues but if they're not then maybe you can help me fix them!

Thanks again!
Bethan

lemonlime · October 2005

Hi Bethan,

Good news, things are looking MUCH better, and we are almost finished with the spyware/malware on your computer. Lets keep going here:

1) I attached a ZIP file that contains a .BAT batch file within. Please run this file. I want to see if deleting those files from a 'dos' based command will do the trick. It will just flash up on the screen quickly, and should disappear.

2) Use the below instructions from Crunchie to search for 'tubby' in the registry.

Crunchie wrote:

Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool. Type tubby in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them here.

In regards to the symptoms you listed, there is a good possibility that those things are no longer a result of spyware (although they may have been initially caused by spyware). I want to go through a few system diagnostics with you to rule out any hardware or low-level system problems.

1) Run a CheckDisk command: Click Start, Run, type in cmd and hit enter. You'll see the command prompt open up. Type in chkdsk C: /R

This will do a full check of your computer's file system. If there are any problems with it, it can cause many of the 'slowness' symptoms you have described. Many NTFS file system errors can be automatically repaired by chkdsk. Once you type that command, it will display the following message:

The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process. Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)

Type 'Y' and reboot your computer. You'll see a disk check begin on your next boot up. Once finished, it will automatically boot into windows. Once there, open the Control Panel, double click on "Adminstrative Tools", double click on the "Event Viewer" icon, then click on "Application". In the "Source" column, look for the "Winlogon" item. Double click it and you should see the results of your Chkdsk. Post those results here.

Also, in regards to your 'old style' looking Windows, go to your control panel, double click on "Administrative Tools", double click on "Services". Look for the "Themes" service, and double click on it. Ensure that the "Startup Type" is set to "Automatic". Press the "Start" button in that window to start the service if it was not started. Once that is done, you can close the services window, as well as the "administrative tools" window, and return to the "Display Settings" area in the control panel. You should now be able to select the default blue/silver XP theme.

Also, I noticed that you do not have 'Service Pack 2' for Windows XP installed. This could very well correct many of your problems, as well as help to keep your PC more secure in the future. I'd strongly recommend an upgrade to SP2. You can find more information here: http://www.microsoft.com/windowsxp/sp2/default.mspx

So lets see what all of that does, and please post another active scan log, and HJT log when finished.

Best Regards,
Mike

i_hate_search_assistant · October 2005

Hi Mike...

Ok first off...I ran the .bat file as instructed...I searched the registry no "tubby" was found so I have no scan log to show you.

I ran chkdsk like you said...took an age to reboot but it's done.

There are two entries for "WINLOGON" and here they are:
Checking file system on C:
The type of the file system is NTFS.
Volume label is BTS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 412 unused index entries from index $SII of file 0x9.
Cleaning up 412 unused index entries from index $SDH of file 0x9.
Cleaning up 412 unused security descriptors.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Windows has made corrections to the file system.

6329578 KB total disk space.
4919693 KB in 28742 files.
11320 KB in 2915 indexes.
0 KB in bad sectors.
97291 KB in use by the system.
33696 KB occupied by the log file.
1301274 KB available on disk.

512 bytes in each allocation unit.
12659156 total allocation units on disk.
2602548 allocation units available on disk.

Internal Info:
39 f0 00 00 b3 7b 00 00 6f 9e 00 00 00 00 00 00 9....{..o.......
72 00 00 00 00 00 00 00 2a 02 00 00 00 00 00 00 r.......*.......
e0 da 52 09 00 00 00 00 70 f2 48 39 00 00 00 00 ..R.....p.H9....
d0 05 59 18 00 00 00 00 e0 ba 78 1b 04 00 00 00 ..Y.......x.....
70 f5 4f 87 00 00 00 00 70 ed 3e 08 05 00 00 00 p.O.....p.>.....
99 9e 36 00 00 00 00 00 46 70 00 00 00 00 00 00 ..6.....Fp......
00 34 46 2c 01 00 00 00 63 0b 00 00 00 00 00 00 .4F,....c.......

Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at

and the 2nd entry as follows:

Checking file system on D:
The type of the file system is FAT32.

One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
Volume Serial Number is 9C53-1F14
Windows has checked the file system and found no problems.
20472816 KB total disk space.
6912 KB in 158 hidden files.
11344 KB in 693 folders.
8487040 KB in 10107 files.
11967504 KB are available.

16384 bytes in each allocation unit.
1279551 total allocation units on disk.
747969 allocation units available on disk.

For more information, see Help and Support Center at

I tried your technique to get my display settings back but it didn't work...I guess there's more to it!

With regards to the SP2...each time I've tried to d/l and install it it's come up with an error...this time it's :

"The product key used to install Microsoft Windows may not be valid......for more info....and how to fix this issue go to www.howtotell.com"

Don't know what that means so I'm hoping you can tell me!

Here's the Activescan Log:

Incident Status Location

Adware:adware/ist.istbar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\istactivex.inf
Adware:adware/tubby No disinfected Windows Registry
Adware:Adware/FastFind No disinfected C:\System Volume Information\_restore{8A07CF13-C043-4124-A2BB-4967A29D24B5}\RP281\A0056774.exe
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.INF
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\istactivex.inf
It shows 6 being found but none disinfected...

Here's the log for HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:04:05 PM, on 10/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - E:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Yahoo! Pager] E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109833549822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Lets see how this round goes....Hope to hear from you soon
Thanks again!
Bethan

lemonlime · October 2005

Hi Bethan,

Chkdsk corrected some issues on your C partition from the looks of the log. Do you notice any performance improvements now? Some of those file system errors could have caused some odd behavior of your system.

Do you have more than one hard drive or disk partition? From the looks of your logs, you may also have a 'D drive' and an 'E drive'. If they do exist, run the following commands from the command prompt:

Click, Start then Run, type cmd and hit 'enter'

Type the following:

chkdsk d: /R

Let it run, once finished type the next command (assuming you have an E partition)

chkdsk e: /R

Also, please ensure that your active scan as well as your AVG antivirus and other scans are scanning all of your partitions, not just the C drive.

Once finished, please disable and re-enable system restore again (appears something else is stuck in your restore point).

I have a feeling that there is something else still hiding that has not yet shown it's face. Lets give Ewido trojan scan a try. (below instructions are from DrGeo2008)

Please download, install, and update the free version of Ewido trojan scan

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful")

Once the update is finished, follow the below instructions:

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
3. When the scan finishes, click on "Save Report". This will create a text file. please post the results in this thread.

i_hate_search_assistant · October 2005

Hey Mike...

Here are the results from the check disk:

Checking file system on D:
The type of the file system is FAT32.

A disk check has been scheduled.
Windows will now check the disk.
Volume Serial Number is 9C53-1F14
Windows is verifying free space...
Free space verification is complete.
Windows has checked the file system and found no problems.
20472816 KB total disk space.
6912 KB in 158 hidden files.
11392 KB in 696 folders.
8487280 KB in 10116 files.
11967216 KB are available.

16384 bytes in each allocation unit.
1279551 total allocation units on disk.
747951 allocation units available on disk.

and the one on E

Checking file system on E:
The type of the file system is FAT32.

A disk check has been scheduled.
Windows will now check the disk.
Volume Serial Number is 500B-AE02
Windows is verifying free space...
Free space verification is complete.
Windows has checked the file system and found no problems.
18594128 KB total disk space.
18400 KB in 255 hidden files.
33008 KB in 2014 folders.
11361872 KB in 35019 files.
7180832 KB are available.

16384 bytes in each allocation unit.
1162133 total allocation units on disk.
448802 allocation units available on disk.

and the results from EWIDO (which I had on my computer previously running nightly)

ewido security suite - Scan report

+ Created on: 8:00:31 PM, 10/24/2005
+ Report-Checksum: 3393B121

+ Scan result:

No infected objects found.

::Report End

Thanks!
Bethan

i_hate_search_assistant · October 2005

Hey Mike...

Haven't heard from you in a couple of days...I guess that means that things are going ok now for me....still a lot of what they like to call "application hangs" but I'm sure that's normal?!

Hope to hear from you soon...
Bethan

lemonlime · October 2005

Hi Bethan,

From what I've been able to see, your system does look free of any significant SVT infections. There are a few remenants that active scan is finding, but nothing is actually running any longer. I have a feeling that the rest of the problems are likely non-SVT related. Has there been any improvement since we started? Also, could you please provide an updated list of symptoms, and perhaps I could point you in the right direction.

Thanks,
Mike

i_hate_search_assistant · November 2005

Hi Mike...

As for issues with my computer it's just slow and is still hanging on some applications.

I have another issue with my father's computer tho that I was wondering if you'd help out with!

When you boot up it hangs immediately. You can run only task manager and even then if you go to close it...it doesn't go away (the window that is). I've attempted to reboot it myself into safe mode however the F8 method doesn't work! The computer won't run any programs or go onto the internet. I can't even get the start menu open! Even if you right click no option screens pop up. I don't have a HJT log since I can't run anything!

Hope you can help!

Thanks!
Bethan

i_hate_search_assistant · November 2005

Hi Mike

I've managed to get it into safe mode...but now it's frozen in safe mode!

Not sure where to go from here...

Hope to hear from you soon

B

CAMPISI · November 2005

High there, Im very sorry to interupt your correspondence, but i have been having the same problem, I have a program, avg free edition, it says I have a "Worm/VB.CC" classified as critical risk virus, I think its probably the same thing that that you have, AVG has quarintined it many times, but every search I run AVG has it coming back up un-quarintined again, I dont have hijack this, nor am I familiar with the program, Is there anything that I could use that doesnt involve installing hijack this and getting aquainted with the program?

I would Greatly appreciate your help on this.

Thanks,

Campisi

Trogan · November 2005

Hi CAMPISI,

1) Always start your own thread. It saves time and effort if you do.

2) Write down the location of the virus.

3) HijackThis (HJT) is not a complicated tool but a useful one. It lets us see where all the crap is at.

If you need further help then explain it in your own thread. Thanks