Klone Virus and WinAntiVirusPro 2006 pop-up

Unknown · October 2006

AVG keeps detecting Klone Virus in the C:\system Volume Information\_restore path, as well as other trojans in the C:\WINDOWS\system32 folder. I also had toolbar 888 which I believe I removed. I have ran AVG, Windows Defender and Spybot S&D and fixed the problems which these found. However the problem has not stopped. Below is my Hijack This log, Cheerz, Rob http://www.short-media.com/forum/images/smilies/hiding.gif

Logfile of HijackThis v1.99.1
Scan saved at 22:55:41, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Flea46\Desktop\hjt.moon.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\optejhqt.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A3B12F55-C348-4481-BC18-70F267D6F86F} - C:\WINDOWS\AppPatch\mcdvdd.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mcdvdd - C:\WINDOWS\AppPatch\mcdvdd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

rpggamergirl · October 2006

Hi,

First I would suggest uninstalling the MyWaySearch Assistant that comes with Dell.

The Klone virus that you mentioned is in the System Restore folder so it's not a threat right now, it's harmless while there. You can flush your restore points later on when your system is clean.

If vundofix doesn't find the vundo file then we'll use Avenger.

1. Please download VundoFix.exe to your desktop
[*]Double-click VundoFix.exe to run it.
[*]Click the Scan for Vundo button.
[*]Once it's done scanning, click the Remove Vundo button.
[*]You will receive a prompt asking if you want to remove the files, click YES
[*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will reboot your computer, click OK.
[*]Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

2. Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1

Reboot your computer into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

3. First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Please post new hijackthis log.

flea46 · October 2006

Hi, thanks for your rapid response. Below is the VundoFix text file and latest Hijackthis log.

VundoFix V6.2.4

Checking Java version...

Java version is 1.4.2.3

Scan started at 14:12:15 17/10/2006

Listing files found while scanning....

C:\WINDOWS\system32\exkaftce.exe
C:\WINDOWS\AppPatch\mcdvdd.dll
C:\WINDOWS\AppPatch\ddvdcm.ini
C:\WINDOWS\AppPatch\ddvdcm.bak2
C:\WINDOWS\AppPatch\ddvdcm.ini2
C:\WINDOWS\AppPatch\ddvdcm.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\exkaftce.exe
C:\WINDOWS\system32\exkaftce.exe Has been deleted!

Attempting to delete C:\WINDOWS\AppPatch\mcdvdd.dll
C:\WINDOWS\AppPatch\mcdvdd.dll Could not be deleted.

Attempting to delete C:\WINDOWS\AppPatch\ddvdcm.ini
C:\WINDOWS\AppPatch\ddvdcm.ini Has been deleted!

Attempting to delete C:\WINDOWS\AppPatch\ddvdcm.bak2
C:\WINDOWS\AppPatch\ddvdcm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\AppPatch\ddvdcm.ini2
C:\WINDOWS\AppPatch\ddvdcm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\AppPatch\ddvdcm.tmp
C:\WINDOWS\AppPatch\ddvdcm.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\AppPatch\mcdvdd.dll
C:\WINDOWS\AppPatch\mcdvdd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.4

Checking Java version...

Java version is 1.4.2.3

Scan started at 14:23:00 17/10/2006

Listing files found while scanning....

No infected files were found.

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:33:26, on 17/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Flea46\Desktop\hjt.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F5DA6F1-0DFC-4069-AF0A-74D6CC746719} - C:\WINDOWS\AppPatch\mcdvdd.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\optejhqt.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

rpggamergirl · October 2006

That's great!

1. Run a scan with Hijackthis and put a check next to these entries, with all browsers and other windows closed click "Fix Checked":
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {0F5DA6F1-0DFC-4069-AF0A-74D6CC746719} - C:\WINDOWS\AppPatch\mcdvdd.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\optejhqt.dll (file missing) O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)

2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-clickATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser

ClickFirefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser

ClickOpera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3. Flush system restore points.
To turn off Windows XP System Restore:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.
6. Immediately create a new restore point.

4. After you've done those let's run combofix.
Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

flea46 · October 2006

Have ran AVG Anti-spyware, took about 2 hours to complete. Below is the report it produced and the latest Hijackthis log with the mentioned files fixed/deleted. Next I will flush my system restore points and run combofix which you recommended =)

AVG Anti-Spyware - Scan Report

+ Created at: 17:07:08 17/10/2006

+ Scan result:

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP310\A0059218.dll -> Adware.Searchcolours : Cleaned with backup (quarantined).
C:\Documents and Settings\Flea46\Desktop\Map\SHARP EDGE.mmo -> Adware.Systemdoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP279\A0056241.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP279\A0056258.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP389\A0067312.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 17:23:07, on 17/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Flea46\Desktop\hjt.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

flea46 · October 2006

Hi, I have flushed my previous system restore points and have created a new system restore point. I have just ran Combofix and below is the log it produced:

Flea46 - 06-10-17 17:40:49.29 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Flea46\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-17 to 2006-10-17 ))))))))))))))))))))))))))))))))))

2006-10-17 14:50 3,968 --a

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-05 00:03 121,856

C:\WINDOWS\system32\xmllite.dll
2006-10-02 10:46 43,520 --a

C:\WINDOWS\system32\CmdLineExt03.dll
2006-09-20 08:33 476,320

C:\WINDOWS\system32\ImagXpr7.dll
2006-09-20 08:33 471,040

C:\WINDOWS\system32\ImagXRA7.dll
2006-09-20 08:33 262,144

C:\WINDOWS\system32\ImagXR7.dll
2006-09-20 08:33 155,648 --a

C:\WINDOWS\system32\NeroCheck.exe
2006-09-20 08:33 106,496 --a

C:\WINDOWS\system32\TwnLib20.dll
2006-09-20 08:33 1,568,768

C:\WINDOWS\system32\ImagX7.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-17 17:31

d

C:\Program Files\Mozilla Firefox
2006-10-17 17:29

d

C:\Program Files\Steam
2006-10-17 14:50

d

C:\Program Files\Grisoft
2006-10-16 22:30

d

C:\Program Files\Diablo II
2006-10-15 08:17

d

C:\Program Files\Common Files\Autodesk Shared
2006-10-15 08:17

d

C:\Program Files\Autodesk
2006-10-15 08:08

d

C:\Program Files\Common Files
2006-10-15 07:56

d

C:\Documents and Settings\Flea46\Application Data\uTorrent
2006-10-08 07:37

d--h

C:\Program Files\InstallShield Installation Information
2006-10-08 07:37

d

C:\Program Files\Electronic Arts
2006-10-05 00:08

d--h

C:\Program Files\Uninstall Information
2006-10-05 00:08

d

C:\Program Files\Internet Explorer
2006-10-04 23:24

d

C:\Program Files\Opera
2006-10-04 22:35

d

C:\Documents and Settings\Flea46\Application Data\Opera
2006-10-03 07:13

d

C:\Documents and Settings\Flea46\Application Data\Xfire
2006-10-02 10:44 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-10-02 10:44 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-10-02 10:44 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-10-02 10:29

d

C:\Documents and Settings\Flea46\Application Data\My Battle for Middle-earth(tm) II Files
2006-09-29 23:44

d

C:\Program Files\LucasArts
2006-09-29 17:19

d

C:\Program Files\Windows Media Player
2006-09-29 17:16

d

C:\Program Files\Windows Media Connect 2
2006-09-27 13:10 778656 --a

C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-22 21:46

d

C:\Program Files\Windows Defender
2006-09-22 13:07

d---s---- C:\Program Files\Xfire
2006-09-20 08:33

d

C:\Program Files\Common Files\Ahead
2006-09-20 08:33

d

C:\Program Files\Ahead
2006-09-17 20:13

d

C:\Program Files\AC3Filter
2006-09-13 06:01 1084416 --a

C:\WINDOWS\system32\msxml3.dll
2006-09-08 20:54

d

C:\Documents and Settings\Flea46\Application Data\teamspeak2
2006-09-05 15:36

d

C:\Program Files\Bethesda Softworks
2006-09-04 14:52

d

C:\Program Files\WinAVIVideoConverter
2006-09-04 13:43 3082 --a

C:\WINDOWS\system32\affv9869p2now.sys
2006-09-04 12:52

d

C:\Documents and Settings\Flea46\Application Data\Ahead
2006-09-04 09:28

d

C:\Program Files\Winamp
2006-09-04 08:29

d

C:\Program Files\Google
2006-09-01 11:56

d

C:\Program Files\Memory-Map
2006-09-01 11:56

d

C:\Program Files\Common Files\Wise Installation Wizard
2006-08-28 14:01

d

C:\Program Files\EA GAMES
2006-08-27 19:56

d

C:\Program Files\MSN Messenger
2006-08-25 16:45 617472 --a

C:\WINDOWS\system32\comctl32.dll
2006-08-24 22:42 8704 --a

C:\WINDOWS\system32\wdfmgr.exe
2006-08-24 22:42 8704 --a

C:\WINDOWS\system32\uwdf.exe
2006-08-24 22:30 99840 --a

C:\WINDOWS\system32\wmpshell.dll
2006-08-24 22:30 990208 --a

C:\WINDOWS\system32\drmv2clt.dll
2006-08-24 22:30 937984 --a

C:\WINDOWS\system32\WMNetMgr.dll
2006-08-24 22:30 8337920 --a

C:\WINDOWS\system32\wmploc.dll
2006-08-24 22:30 790016

C:\WINDOWS\system32\WMVSENCD.dll
2006-08-24 22:30 757248 --a

C:\WINDOWS\system32\WMADMOD.dll
2006-08-24 22:30 7168 --a

C:\WINDOWS\system32\asferror.dll
2006-08-24 22:30 656896 --a

C:\WINDOWS\system32\WMVXENCD.dll
2006-08-24 22:30 63488 --a

C:\WINDOWS\system32\wpdmtpus.dll
2006-08-24 22:30 629760 --a

C:\WINDOWS\system32\wpd_ci.dll
2006-08-24 22:30 611840

C:\WINDOWS\system32\wmpmde.dll
2006-08-24 22:30 603648 --a

C:\WINDOWS\system32\WMSPDMOD.dll
2006-08-24 22:30 537600 --a

C:\WINDOWS\system32\blackbox.dll
2006-08-24 22:30 532992 --a

C:\WINDOWS\system32\wmdrmsdk.dll
2006-08-24 22:30 428032 --a

C:\WINDOWS\system32\wmdrmdev.dll
2006-08-24 22:30 414208 --a

C:\WINDOWS\system32\msscp.dll
2006-08-24 22:30 4096 --a

C:\WINDOWS\system32\wmvdmoe2.dll
2006-08-24 22:30 4096 --a

C:\WINDOWS\system32\wmvdmod.dll
2006-08-24 22:30 4096 --a

C:\WINDOWS\system32\WMVADVE.DLL
2006-08-24 22:30 4096 --a

C:\WINDOWS\system32\WMVADVD.dll
2006-08-24 22:30 4096 --a

C:\WINDOWS\system32\wmsdmoe2.dll
2006-08-24 22:30 4096 --a

C:\WINDOWS\system32\wmsdmod.dll
2006-08-24 22:30 4096 --a

C:\WINDOWS\system32\wdfapi.dll
2006-08-24 22:30 4096 --a

C:\WINDOWS\system32\MPG4DMOD.dll
2006-08-24 22:30 4096 --a

C:\WINDOWS\system32\MP4SDMOD.dll
2006-08-24 22:30 4096 --a

C:\WINDOWS\system32\MP43DMOD.dll
2006-08-24 22:30 37376 --a

C:\WINDOWS\system32\wmdmps.dll
2006-08-24 22:30 35840 --a

C:\WINDOWS\system32\wpdconns.dll
2006-08-24 22:30 349184 --a

C:\WINDOWS\system32\wpdsp.dll
2006-08-24 22:30 347648 --a

C:\WINDOWS\system32\wmdrmnet.dll
2006-08-24 22:30 33792 --a

C:\WINDOWS\system32\wmdmlog.dll
2006-08-24 22:30 320512 --a

C:\WINDOWS\system32\mswmdm.dll
2006-08-24 22:30 316928

C:\WINDOWS\system32\MP4SDECD.dll
2006-08-24 22:30 314368 --a

C:\WINDOWS\system32\wmpdxm.dll
2006-08-24 22:30 305152

C:\WINDOWS\system32\MSDelta.dll
2006-08-24 22:30 295424

C:\WINDOWS\system32\wmpeffects.dll
2006-08-24 22:30 284160 --a

C:\WINDOWS\system32\PortableDeviceApi.dll
2006-08-24 22:30 276480 --a

C:\WINDOWS\system32\audiodev.dll
2006-08-24 22:30 27648 --a

C:\WINDOWS\system32\mspmsnsv.dll
2006-08-24 22:30 259072

C:\WINDOWS\system32\MPG4DECD.dll
2006-08-24 22:30 2589184

C:\WINDOWS\system32\WpdShext.dll
2006-08-24 22:30 258560

C:\WINDOWS\system32\MP43DECD.dll
2006-08-24 22:30 2450944 --a

C:\WINDOWS\system32\wmvcore.dll
2006-08-24 22:30 242176 --a

C:\WINDOWS\system32\wmpasf.dll
2006-08-24 22:30 228352 --a

C:\WINDOWS\system32\cewmdm.dll
2006-08-24 22:30 227328 --a

C:\WINDOWS\system32\wmerror.dll
2006-08-24 22:30 222208 --a

C:\WINDOWS\system32\WMASF.dll
2006-08-24 22:30 211968 --a

C:\WINDOWS\system32\MFPLAT.dll
2006-08-24 22:30 210432 --a

C:\WINDOWS\system32\qasf.dll
2006-08-24 22:30 204800 --a

C:\WINDOWS\system32\wmpsrcwp.dll
2006-08-24 22:30 198144

C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-08-24 22:30 179712 --a

C:\WINDOWS\system32\msnetobj.dll
2006-08-24 22:30 175104 --a

C:\WINDOWS\system32\mspmsp.dll
2006-08-24 22:30 166912 --a

C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-08-24 22:30 1660416 --a

C:\WINDOWS\system32\wmpencen.dll
2006-08-24 22:30 157184 --a

C:\WINDOWS\system32\wmidx.dll
2006-08-24 22:30 154624 --a

C:\WINDOWS\system32\wpdmtp.dll
2006-08-24 22:30 1539584 --a

C:\WINDOWS\system32\WMVDECOD.dll
2006-08-24 22:30 1532416 --a

C:\WINDOWS\system32\WMVENCOD.dll
2006-08-24 22:30 1392128

C:\WINDOWS\system32\WMVSDECD.dll
2006-08-24 22:30 133120 --a

C:\WINDOWS\system32\WPDShServiceObj.dll
2006-08-24 22:30 1327616 --a

C:\WINDOWS\system32\WMSPDMOE.dll
2006-08-24 22:30 132096

C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-08-24 22:30 130048

C:\WINDOWS\system32\wmpps.dll
2006-08-24 22:30 11264 --a

C:\WINDOWS\system32\LAPRXY.dll
2006-08-24 22:30 1118208 --a

C:\WINDOWS\system32\WMADMOE.dll
2006-08-24 22:30 101888

C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-08-24 20:31 100864 --a

C:\WINDOWS\system32\logagent.exe
2006-08-24 20:27 249344 --a

C:\WINDOWS\system32\drmupgds.exe
2006-08-24 20:26 95288

C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-08-24 20:26 38656 --a

C:\WINDOWS\system32\drivers\wpdusb.sys
2006-08-24 20:26 17408

C:\WINDOWS\system32\wpdshextautoplay.exe
2006-08-24 19:22 90112

C:\WINDOWS\system32\drivers\WudfRd.sys
2006-08-24 19:19 316416

C:\WINDOWS\system32\WUDFx.dll
2006-08-24 19:19 145920

C:\WINDOWS\system32\WudfHost.exe
2006-08-24 19:18 84864

C:\WINDOWS\system32\drivers\WudfPf.sys
2006-08-24 19:18 56320

C:\WINDOWS\system32\WudfSvc.dll
2006-08-24 19:18 168448

C:\WINDOWS\system32\WudfPlatform.dll
2006-08-23 19:33

d

C:\Documents and Settings\Flea46\Application Data\ATI
2006-08-23 19:31

d

C:\Program Files\ATI Technologies
2006-08-23 16:46

d

C:\Program Files\Microsoft Games
2006-08-23 16:45

d---s---- C:\Documents and Settings\Flea46\Application Data\Microsoft
2006-08-23 16:44

d

C:\Program Files\GameSpy Arcade
2006-08-23 16:29

d

C:\Program Files\Sierra On-Line
2006-08-23 00:31 5906432

C:\WINDOWS\system32\ieframe.dll
2006-08-23 00:31 50688

C:\WINDOWS\system32\msfeedsbs.dll
2006-08-23 00:31 457728

C:\WINDOWS\system32\msfeeds.dll
2006-08-23 00:31 413696 --a

C:\WINDOWS\system32\vbscript.dll
2006-08-23 00:31 225792 --a

C:\WINDOWS\system32\webcheck.dll
2006-08-23 00:31 175616

C:\WINDOWS\system32\ieui.dll
2006-08-23 00:31 152064 --a

C:\WINDOWS\system32\msls31.dll
2006-08-23 00:18 78336 --a

C:\WINDOWS\system32\ieencode.dll
2006-08-23 00:18 206336

C:\WINDOWS\system32\WinFXDocObj.exe
2006-08-23 00:17 40448 --a

C:\WINDOWS\system32\licmgr10.dll
2006-08-23 00:17 105472 --a

C:\WINDOWS\system32\url.dll
2006-08-23 00:17 100352 --a

C:\WINDOWS\system32\occache.dll
2006-08-23 00:16 16896 --a

C:\WINDOWS\system32\corpol.dll
2006-08-23 00:14 378368 --a

C:\WINDOWS\system32\iedkcs32.dll
2006-08-23 00:14 229376 --a

C:\WINDOWS\system32\ieaksie.dll
2006-08-23 00:13 71680 --a

C:\WINDOWS\system32\admparse.dll
2006-08-23 00:13 55296 --a

C:\WINDOWS\system32\iesetup.dll
2006-08-23 00:13 54784 --a

C:\WINDOWS\system32\ie4uinit.exe
2006-08-23 00:13 43008 --a

C:\WINDOWS\system32\iernonce.dll
2006-08-23 00:13 152064 --a

C:\WINDOWS\system32\ieakeng.dll
2006-08-23 00:13 122880 --a

C:\WINDOWS\system32\advpack.dll
2006-08-23 00:13 11776 --a

C:\WINDOWS\system32\ieudinit.exe
2006-08-23 00:11 12288

C:\WINDOWS\system32\msfeedssync.exe
2006-08-23 00:10 61440

C:\WINDOWS\system32\icardie.dll
2006-08-23 00:10 35328 --a

C:\WINDOWS\system32\imgutil.dll
2006-08-23 00:09 262656

C:\WINDOWS\system32\iertutil.dll
2006-08-23 00:07 45568 --a

C:\WINDOWS\system32\mshta.exe
2006-08-22 23:37 48128 --a

C:\WINDOWS\system32\mshtmler.dll
2006-08-22 23:36 380928

C:\WINDOWS\system32\ieapfltr.dll
2006-08-22 23:30 161792 --a

C:\WINDOWS\system32\ieakui.dll
2006-08-21 13:21 16896 --a

C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a

C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --a

C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-19 18:01

d

C:\Documents and Settings\Flea46\Application Data\AdobeUM
2006-08-19 14:23 98304 --a

C:\WINDOWS\system32\CmdLineExt.dll
2006-08-19 14:15

d

C:\Program Files\Sierra
2006-08-16 12:58 100352 --a

C:\WINDOWS\system32\6to4svc.dll
2006-08-10 19:46 22752 --a

C:\WINDOWS\system32\spupdsvc.exe
2006-08-07 14:32 82432 --a

C:\WINDOWS\system32\msxml4r.dll
2006-08-07 14:32 81920 --a

C:\WINDOWS\system32\W32N50.dll
2006-08-07 14:32 44544 --a

C:\WINDOWS\system32\msxml4a.dll
2006-08-07 14:32 17134 --a

C:\WINDOWS\system32\PCANDIS5.sys
2006-08-07 14:32 1230336 --a

C:\WINDOWS\system32\msxml4.dll
2006-08-04 08:34 34308 --a

C:\WINDOWS\system32\BASSMOD.dll
2006-08-02 17:27 520192

C:\WINDOWS\system32\ati2sgag.exe
2006-07-28 09:30 62744 --a

C:\WINDOWS\system32\xinput1_2.dll
2006-07-28 09:30 236824 --a

C:\WINDOWS\system32\xactengine2_3.dll
2006-07-27 14:24 679424 --a

C:\WINDOWS\system32\inetcomm.dll
2006-07-22 20:58 73216 --a

C:\WINDOWS\ST6UNST.EXE
2006-07-22 20:58 286720

C:\WINDOWS\Setup1.exe
2006-07-21 09:24 72704 --a

C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"PSDrvCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"Amazing3DAquariumWallpaper"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSKDetct"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-17 17:42:01.48
C:\ComboFix.txt ... 06-10-17 17:42

flea46 · October 2006

Hi, thanks for all your help, i think my computer is clean now =), btw are the files that have been quarantined by AVG Anti-Spyware still on my system and should I delete them using the "remove finally" button.

Cheers, Rob

rpggamergirl · October 2006

>>Hi, thanks for all your help, i think my computer is clean now =), btw are the files that have been quarantined by AVG Anti-Spyware still on my system and should I delete them using the "remove finally" button. <<

Only the backup that AVG keeps in the quarantine folder, no longer a threat, you can delete them too.(I don't have AVG) so I don't know if you can choose files in the quarantine to delete.

Did you install these programs?
Flea46
DIGStream

Some files in AVG quarantine refers to those programs, you could leave them if you installed those programs.
Even if they are legit programs, AVG could still be flagging those files positively because of viruses that replaces legit files with itself.
You can just leave them there for now, they are in quarantine anyway so it doesn't cause any harm.

There is also a tool that you can run to check for legit files that are being replaced by the virus, so far I've only heard of windows system files being replaced,(besides MSN virus that replaces msn files)

But if you're happy with your pc now, that sounds great! and we can leave it at that, wait and see

Klone Virus and WinAntiVirusPro 2006 pop-up

Comments