[resolved]check for problems
I seem to get pop ups, I used spybot and found errorsafe, 888 etc and deleted it, but it always come back can you check it out for me, thanks for the help!
Logfile of HijackThis v1.99.1
Scan saved at 3:34:15 PM, on 01/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Mouse\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\Update.exe
C:\DOCUME~1\BOSCOC~1\APPLIC~1\WNSXS~1\services.exe
C:\WINDOWS\system32\?ystem32\t?skmgr.exe
C:\WINDOWS\TEMP\b122.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Documents and Settings\Bosco Chan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {AF10ED83-2A4A-73CA-42D3-00F2CF541096} - C:\WINDOWS\system32\pohaib.dll
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38279~1\Bar888.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270002}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzad.dll,startup
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "F:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aetr] "C:\DOCUME~1\BOSCOC~1\APPLIC~1\WNSXS~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Irnxrd] C:\WINDOWS\system32\?ystem32\t?skmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\adobe\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Mouse\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
Logfile of HijackThis v1.99.1
Scan saved at 3:34:15 PM, on 01/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Mouse\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\Update.exe
C:\DOCUME~1\BOSCOC~1\APPLIC~1\WNSXS~1\services.exe
C:\WINDOWS\system32\?ystem32\t?skmgr.exe
C:\WINDOWS\TEMP\b122.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Documents and Settings\Bosco Chan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {AF10ED83-2A4A-73CA-42D3-00F2CF541096} - C:\WINDOWS\system32\pohaib.dll
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38279~1\Bar888.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270002}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzad.dll,startup
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "F:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aetr] "C:\DOCUME~1\BOSCOC~1\APPLIC~1\WNSXS~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Irnxrd] C:\WINDOWS\system32\?ystem32\t?skmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\adobe\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Mouse\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
0
This discussion has been closed.
Comments
R3 - URLSearchHook: (no name) - {AF10ED83-2A4A-73CA-42D3-00F2CF541096} - C:\WINDOWS\system32\pohaib.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38279~1\Bar888.dll
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270002}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzad.dll,startup
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Aetr] "C:\DOCUME~1\BOSCOC~1\APPLIC~1\WNSXS~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Irnxrd] C:\WINDOWS\system32\?ystem32\t?skmgr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
[STEP 2] Remove Malicious Files:
C:\WINDOWS\system32\pohaib.dll
C:\PROGRA~1\COMMON~1\{38279~1\Bar888.dll
C:\WINDOWS\system32\drvzad.dll
C:\DOCUME~1\BOSCOC~1\APPLIC~1\WNSXS~1\services.exe
C:\WINDOWS\system32\?ystem32\t?skmgr.exe
[STEP 3] Remove Malicious Folders:
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\
[STEP 4]Report Back to us:
Logfile of HijackThis v1.99.1
Scan saved at 4:41:23 PM, on 01/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\bin\jusched.exe
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
F:\Program Files\adobe\Reader\reader_sl.exe
F:\Program Files\Mouse\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Bosco Chan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270001}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "F:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\adobe\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Mouse\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
Logfile of HijackThis v1.99.1
Scan saved at 10:25:26 AM, on 03/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\bin\jusched.exe
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\Update.exe
C:\Documents and Settings\Bosco Chan\Application Data\F?nts\w?crtupd.exe
C:\WINDOWS\system32\SSEMBL~1\spool32.exe
F:\Program Files\adobe\Reader\reader_sl.exe
F:\Program Files\Mouse\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
F:\Stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {EAA10626-C3B0-943C-B949-E96C261A56C1} - C:\WINDOWS\system32\idd.dll
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270001}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "F:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Jnzjdbl] C:\Documents and Settings\Bosco Chan\Application Data\F?nts\w?crtupd.exe
O4 - HKCU\..\Run: [Aetr] "C:\WINDOWS\system32\SSEMBL~1\spool32.exe" -vt tzt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\adobe\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Mouse\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
I need you to do the following...
1. Move HijackThis to its own folder, where your Operating System is installed. In this case, it is the C: Drive.
2.We need to scan a file:
- Go to VirusTotal
- Copy and paste the following file path into the Search Box at the top of the page:
[*]Click on the Send buttonC:\WINDOWS\system32\idd.dll
[*]Save a copy of the results and post them in your next reply.
3. I don't see any indication of a Firewall in your HijackThis log. This may be because:
(1.) You are using Windows Firewall or a hardware Firewall.
(2.) You are using a Firewall of an unknown vendor.
(3.) You are using a Firewall, but it is disabled for unknown reasons
(4.) You don't use any firewall at all.
In the case you don't have a Firewall, please download one from the list below - They are Free!
Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall
Likewise, I don't see an Anti-Virus installed. Please download one from the list below - They are Free!
AVG Free Edition << I recommend this
AntiVir
avast! 4 Home Edition
Run a Complete scan with your Anti-Virus and let it remove whatever it finds. Make a note of anything that could not be removed.
4. I need to see another log from HijackThis.
- Run Hijackthis.
- Click on Open the Misc Tools section.
- Next click on Open uninstall manager.
- Press the Save list button.
- Save the file to your desktop, with the default name of uninstall_list
- Copy & Paste the entire contents of that file in your in your next post.
5. Locate HijackThis.exe and rename it to Scanner. If you need help with this part, let me know.6. Please post the following...
1) VirusTotal scan results
2) Uninstall list
3) New HijackThis (Scanner) log
4) Any files that could not be deleted by your Anti-Virus
If you rename it Scanner, just type in Scanner and press Enter. Don't type in Scanner.exe
btw you are right I only use windows firewall. I just installed zonealarm and AVG Free Edition. thx!
1) VirusTotal scan result
Complete scanning result of "idd.dll", received in VirusTotal at 01.03.2007, 19:29:17 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 01.03.2007 ADSPY/PurityScan.AK.151
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 Win32:Agent-RY
AVG 386 01.03.2007 Adware Generic.SPH
BitDefender 7.2 01.03.2007 no virus found
CAT-QuickHeal 8.00 01.03.2007 no virus found
ClamAV devel-20060426 01.03.2007 no virus found
DrWeb 4.33 01.03.2007 no virus found
eSafe 7.0.14.0 01.02.2007 no virus found
eTrust-InoculateIT 23.73.103 01.03.2007 no virus found
eTrust-Vet 30.3.3299 01.03.2007 no virus found
Ewido 4.0 01.03.2007 Adware.PurityScan
Fortinet 2.82.0.0 01.03.2007 Adware/PurityScan
F-Prot 3.16f 01.02.2007 no virus found
F-Prot4 4.2.1.29 01.03.2007 no virus found
Ikarus T3.1.0.27 01.03.2007 not-a-virus:AdWare.Win32.PurityScan.ak
Kaspersky 4.0.2.24 01.03.2007 not-a-virus:AdWare.Win32.PurityScan.ak
McAfee 4931 01.03.2007 no virus found
Microsoft 1.1904 01.03.2007 no virus found
NOD32v2 1954 01.03.2007 a variant of Win32/Adware.PurityScan
Norman 5.80.02 12.31.2007 W32/PurityScan.dam
Panda 9.0.0.4 01.02.2007 no virus found
Prevx1 V2 01.03.2007 Trojan.URDVXC
Sophos 4.13.0 01.02.2007 ClickSpring
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.141 01.01.2007 no virus found
UNA 1.83 01.03.2007 no virus found
VBA32 3.11.1 01.03.2007 AdWare.Win32.PurityScan.ak
VirusBuster 4.3.19:9 01.03.2007 no virus found
Aditional Information
File size: 57856 bytes
MD5: ff9e59602715fca43c8be4848a502c57
SHA1: 93bd15c9130c9839b8fee31afefecc11e48f3845
packers: PECompact
packers: PECOMPACT
packers: PecBundle, PECompact
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
2) Any files that could not be deleted by your Anti-Virus
All files were deleted no files could not be deleted by anti-virus
3) Uninstall list
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Adobe Shockwave Player
Ahead Nero - Burning Rom
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free Edition
BitTornado 0.3.7
Combined Community Codec Pack 2005-06-19 (Remove Only)
ConvertXtoDVD 2.0.17
DivX Content Uploader
DivX Web Player
Enable S3 for USB Device
ffdshow
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Logitech SetPoint
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (2.0.0.1)
MSXML 4.0 SP2 (KB927978)
NVIDIA nForce Drivers
OIN
Outerinfo
QuickTime
Readiris Pro 7.5
Realtek AC'97 Audio
RTLSetup
Samsung SCX-4100 Series
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
SmarThru 4
Sony USB Driver
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
System Requirements Lab
TI Connect 1.6
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VideoLAN VLC media player 0.8.5
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinRAR archiver
XviD MPEG-4 Video Codec
ZoneAlarm
4) New HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 12:37:48 PM, on 03/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\bin\jusched.exe
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\Update.exe
C:\Documents and Settings\Bosco Chan\Application Data\F?nts\w?crtupd.exe
F:\Program Files\Mouse\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {EAA10626-C3B0-943C-B949-E96C261A56C1} - C:\WINDOWS\system32\idd.dll
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)
O2 - BHO: (no name) - {0C0A0FF7-684F-4727-8D11-E2E097A340F2} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\daqegdor.dll
O2 - BHO: (no name) - {AF10ED83-2A4A-73CA-42D3-00F2CF541096} - C:\WINDOWS\system32\pohaib.dll (file missing)
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38279~1\Bar888.dll
O2 - BHO: (no name) - {D4C6923C-A11C-424E-93DF-342761AD3AF9} - C:\WINDOWS\system32\nnnmkhi.dll
O2 - BHO: (no name) - {EAA10626-C3B0-943C-B949-E96C261A56C1} - C:\WINDOWS\system32\idd.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38279~1\Bar888.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270001}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270002}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "F:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Jnzjdbl] C:\Documents and Settings\Bosco Chan\Application Data\F?nts\w?crtupd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\adobe\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Mouse\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll (file missing)
O20 - Winlogon Notify: nnnmkhi - C:\WINDOWS\SYSTEM32\nnnmkhi.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Please do the following...
1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:
OIN
Outerinfo
2. Please download VundoFix.exe to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt in your next posts
Note:It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
3. We need to scan another file:
- Go to VirusTotal
- Copy and paste the following file path into the Search Box at the top of the page:
[*]Click on the Send buttonC:\WINDOWS\system32\svchosts.exe
[*]Save a copy of the results and post them in your next reply.
4. Please post the following...
1) VundoFix.txt
2) Scan results
3) New HijackThis log
1) VundoFix.txt
VundoFix V6.2.13
Checking Java version...
Sun Java not detected
Scan started at 12:58:49 PM 03/01/2007
Listing files found while scanning....
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.ini2
C:\WINDOWS\system32\oqtwa.tmp
Beginning removal...
Attempting to delete C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\oqtwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\oqtwa.ini2
C:\WINDOWS\system32\oqtwa.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\oqtwa.tmp
C:\WINDOWS\system32\oqtwa.tmp Has been deleted!
Performing Repairs to the registry.
Done!
2) VirusTotal scan results
Complete scanning result of "svchosts.exe", received in VirusTotal at 01.03.2007, 21:08:04 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 01.03.2007 no virus found
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 01.03.2007 no virus found
BitDefender 7.2 01.03.2007 no virus found
CAT-QuickHeal 8.00 01.03.2007 no virus found
ClamAV devel-20060426 01.03.2007 no virus found
DrWeb 4.33 01.03.2007 no virus found
eSafe 7.0.14.0 01.02.2007 no virus found
eTrust-InoculateIT 23.73.103 01.03.2007 no virus found
eTrust-Vet 30.3.3299 01.03.2007 no virus found
Ewido 4.0 01.03.2007 no virus found
Fortinet 2.82.0.0 01.03.2007 no virus found
F-Prot 3.16f 01.02.2007 no virus found
F-Prot4 4.2.1.29 01.03.2007 no virus found
Ikarus T3.1.0.27 01.03.2007 no virus found
Kaspersky 4.0.2.24 01.03.2007 no virus found
McAfee 4931 01.03.2007 no virus found
Microsoft 1.1904 01.03.2007 no virus found
NOD32v2 1954 01.03.2007 no virus found
Norman 5.80.02 12.31.2007 no virus found
Panda 9.0.0.4 01.03.2007 no virus found
Prevx1 V2 01.03.2007 no virus found
Sophos 4.13.0 01.02.2007 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.141 01.01.2007 no virus found
UNA 1.83 01.03.2007 no virus found
VBA32 3.11.1 01.03.2007 no virus found
VirusBuster 4.3.19:9 01.03.2007 no virus found
Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
3) New HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 1:11:15 PM, on 03/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\bin\jusched.exe
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\Update.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Mouse\SetPoint\SetPoint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)
O2 - BHO: (no name) - {0C0A0FF7-684F-4727-8D11-E2E097A340F2} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\daqegdor.dll
O2 - BHO: (no name) - {AF10ED83-2A4A-73CA-42D3-00F2CF541096} - C:\WINDOWS\system32\pohaib.dll (file missing)
O2 - BHO: (no name) - {D4C6923C-A11C-424E-93DF-342761AD3AF9} - C:\WINDOWS\system32\nnnmkhi.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270001}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270002}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "F:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\adobe\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Mouse\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll (file missing)
O20 - Winlogon Notify: nnnmkhi - C:\WINDOWS\SYSTEM32\nnnmkhi.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1. Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop. Double click FixServices.bat. A window will open and close. This is normal.
2. We need to run VundoFix again, but slightly different than before...
- Double-click VundoFix.exe to run it.
- Right Click inside the listbox (white box) and click Add more file?
- Copy & Paste the 2 entries below into the top 2 boxes
- C:\WINDOWS\system32\nnnmkhi.dll
- C:\WINDOWS\system32\ihkmnnn.*
- Click Add Files and click Close Window
- Click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will shutdown your computer, click OK.
- Turn your computer back on.
- Please post the contents of C:\vundofix.txt in your next reply.
3. Open HijackThis- Click the Do a system scan only button
- Check the following entries (below)
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)
O2 - BHO: (no name) - {0C0A0FF7-684F-4727-8D11-E2E097A340F2} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\daqegdor.dll
O2 - BHO: (no name) - {AF10ED83-2A4A-73CA-42D3-00F2CF541096} - C:\WINDOWS\system32\pohaib.dll (file missing)
O2 - BHO: (no name) - {D4C6923C-A11C-424E-93DF-342761AD3AF9} - C:\WINDOWS\system32\nnnmkhi.dll
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270001}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270002}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\Update.exe" mc-110-12-0000272
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll (file missing)
O20 - Winlogon Notify: nnnmkhi - C:\WINDOWS\SYSTEM32\nnnmkhi.dll
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
4. Run HijackThis again and click on Open the Misc Tools section.
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:
C:\WINDOWS\system32\svchosts.exe
When you are asked "Do you want to restart your computer now?", click OK.
Your PC MUST reboot to delete the file!
5. Please post the following...
1) VundoFix.txt
2) New HijackThis log
1) VundoFix.txt
VundoFix V6.2.13
Checking Java version...
Sun Java not detected
Scan started at 12:58:49 PM 03/01/2007
Listing files found while scanning....
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.ini2
C:\WINDOWS\system32\oqtwa.tmp
Beginning removal...
Attempting to delete C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\oqtwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\oqtwa.ini2
C:\WINDOWS\system32\oqtwa.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\oqtwa.tmp
C:\WINDOWS\system32\oqtwa.tmp Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\nnnmkhi.dll
C:\WINDOWS\system32\nnnmkhi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\nnnmkhi.dll
C:\WINDOWS\system32\nnnmkhi.dll Has been deleted!
Performing Repairs to the registry.
Done!
2) New HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 1:42:58 PM, on 03/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\Update.exe
F:\Program Files\adobe\Reader\reader_sl.exe
F:\Program Files\Mouse\SetPoint\SetPoint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "F:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\adobe\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Mouse\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 6.
- Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement."
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
- J2SE Runtime Environment 5.0 Update 4
- J2SE Runtime Environment 5.0 Update 6
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
2. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
[*]Windows Temp
[*]Current User Temp
[*]All Users Temp
[*]Temporary Internet Files
[*]Prefetch
[*]Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.3. You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Once in Safe Mode:Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal ModeIMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
4. Download this file to your Desktop - combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
5. Please do an online scan with Panda ActiveScan
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
6. Please post the following...
1) AVG anti-spyware log
2) ComboFix log
3) Panda Report
4) New HijackThis log
You may need several replies so the logs do not get cut off.
the AVG Anti-Spyware log was too long to be posted so I posted the ones that didn't say "cleaned"
AVG Anti-Spyware - Scan Report
+ Created at: 2:44:24 PM 03/01/2007
+ Scan result:
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{755BBD1A-AA59-456C-AFEB-B4C42C4DCB6F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{755BBD1A-AA59-456C-AFEB-B4C42C4DCB6F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-746137067-1035525444-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{755BBD1A-AA59-456C-AFEB-B4C42C4DCB6F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-746137067-1035525444-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E1412445-4FF8-410E-8D24-F2CF86B171A4} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-746137067-1035525444-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvvux.dll -> Not-A-Virus.Hoax.Win32.Renos.NAH : Cleaned with backup (quarantined).
C:\WINDOWS\Qm9zY28gQ2hhbg\kA6WsZf0kZ11v0.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wintcc.exe -> Trojan.Small : Cleaned with backup (quarantined).
2) ComboFix log
Bosco Chan - 07-01-03 14:49:19.37 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Bosco Chan\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}
C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}
C:\Program Files\Common Files\{382792B5-0704-1033-0923-030308270002}
C:\Program Files\Common Files\{382792B5-0705-1033-0923-030308270002}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Bosco Chan\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\Bosco Chan\Application Data\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\Bosco Chan\My Documents\MBOLS~1
C:\QooBox\Purity\Documents and Settings\Bosco Chan\My Documents\STEM~1
C:\QooBox\Purity\Documents and Settings\Bosco Chan\My Documents\YSTEM3~1
C:\QooBox\Purity\Program Files\CURITY~1
C:\QooBox\Purity\Program Files\ECURIT~1
C:\QooBox\Purity\Program Files\MCROSO~1
C:\QooBox\Purity\Program Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1
C:\QooBox\Purity\WINDOWS\DOBE~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1
C:\QooBox\Purity\WINDOWS\YMBOLS~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\STEM~1
C:\QooBox\Purity\WINDOWS\system32\WNSXS~1
C:\QooBox\Purity\WINDOWS\system32\YSTEM3~1
((((((((((((((((((((((((((((((( Files Created from 2006-12-03 to 2007-01-03 ))))))))))))))))))))))))))))))))))
2007-01-03 14:12 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-03 14:07 <DIR> d
C:\Program Files\Java
2007-01-03 14:07 <DIR> d
C:\Program Files\Common Files\Java
2007-01-03 12:58 <DIR> d
C:\VundoFix Backups
2007-01-03 12:56 88,064 --a
C:\VundoFix.exe
2007-01-03 12:17 <DIR> d
C:\HijackThis
2007-01-03 11:54 816,672 --a
C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-03 11:54 4,224 --a
C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-03 11:54 3,968 --a
C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-03 11:54 28,416 --a
C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-03 11:54 18,240 --a
C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-03 11:54 <DIR> dr-h
C:\$VAULT$.AVG
2007-01-03 11:54 <DIR> d
C:\Program Files\Grisoft
2007-01-03 11:54 <DIR> d
C:\Documents and Settings\Bosco Chan\Application Data\AVG7
2007-01-03 11:54 <DIR> d
C:\Documents and Settings\All Users\Application Data\Grisoft
2007-01-03 11:50 <DIR> d
C:\WINDOWS\system32\ZoneLabs
2007-01-03 11:50 <DIR> d
C:\WINDOWS\Internet Logs
2007-01-03 11:50 <DIR> d
C:\Program Files\Zone Labs
2007-01-03 11:18 22,541 --ahs---- C:\WINDOWS\system32\rqrppqr.dll
2007-01-03 10:02 22,541 --ahs---- C:\WINDOWS\system32\ljjkjkj.dll
2007-01-02 20:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-01-02 20:04 <DIR> d
C:\Documents and Settings\Bosco Chan\Contacts
2007-01-01 15:30 <DIR> d
C:\Program Files\Ipwindows
2007-01-01 15:28 22,541 --ahs---- C:\WINDOWS\system32\ssqpqnn.dll
2007-01-01 12:43 <DIR> d
C:\WINDOWS\BDOSCAN8
2007-01-01 11:20 22,541 --ahs---- C:\WINDOWS\system32\efcbxus.dll
2007-01-01 09:18 22,541 --ahs---- C:\WINDOWS\system32\rqrsrsq.dll
2006-12-28 07:40 44,060 --a
C:\WINDOWS\system32\daqegdor.dll
2006-12-25 09:04 22,541 --ahs---- C:\WINDOWS\system32\khfgdax.dll
2006-12-23 22:30 <DIR> d--h
C:\Program Files\Common Files\Uninstall Information
2006-12-22 11:07 22,541 --ahs---- C:\WINDOWS\system32\hgghfgd.dll
2006-12-21 15:52 <DIR> d
C:\Program Files\InstallShield Installation Information
2006-12-21 15:41 <DIR> d--hs---- C:\WINDOWS\ftpcache
2006-12-19 17:04 79,360 --a
C:\WINDOWS\system32\swxcacls.exe
2006-12-19 17:04 51,200 --a
C:\WINDOWS\system32\dumphive.exe
2006-12-18 20:14 22,541 --ahs---- C:\WINDOWS\system32\byxyyaw.dll
2006-12-18 16:23 22,541 --ahs---- C:\WINDOWS\system32\cbxuvvt.dll
2006-12-17 09:55 8,464 --a
C:\WINDOWS\system32\sporder.dll
2006-12-16 17:42 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2006-12-16 17:42 <DIR> d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-15 07:42 118,804 --a
C:\WINDOWS\system32\afcbskpj.dll
2006-12-05 22:00 <DIR> d
C:\Program Files\DivX
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-03 14:49
d
C:\Program Files\Common Files
2007-01-03 14:47
d
C:\Program Files\Mozilla Firefox
2007-01-02 20:04
d
C:\Program Files\MSN Messenger
2007-01-01 15:03
d
C:\Documents and Settings\Bosco Chan\Application Data\Lavasoft
2006-12-21 15:53 163644 --a
C:\WINDOWS\system32\drivers\secdrv.sys
2006-12-14 20:40
d
C:\Program Files\Internet Explorer
2006-12-14 20:39
d
C:\Program Files\Outlook Express
2006-12-14 20:39
d
C:\Program Files\Common Files\System
2006-12-06 23:40 2362184 --a
C:\WINDOWS\system32\wmvcore.dll
2006-11-29 16:45 590878 --a
C:\WINDOWS\system32\uninstall.exe
2006-11-27 16:23
d---s---- C:\Documents and Settings\Bosco Chan\Application Data\Microsoft
2006-11-26 16:47
d
C:\Documents and Settings\Bosco Chan\Application Data\InstallShield
2006-11-25 10:11 110612 --a
C:\WINDOWS\system32\smnughqo.exe
2006-11-19 16:04 28440 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\GDIPFONTCACHEV1.DAT
2006-11-18 00:27
d
C:\Program Files\MSXML 4.0
2006-11-13 21:36
d
C:\Program Files\Windows Media Player
2006-11-12 22:56
d
C:\Program Files\Online Services
2006-11-09 08:29
d
C:\Documents and Settings\Bosco Chan\Application Data\Vso
2006-11-09 08:21 223128 --a
C:\WINDOWS\system32\drivers\vaxscsi.sys
2006-11-07 22:06 679424 --a
C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a
C:\WINDOWS\system32\msxml4.dll
2006-11-01 20:45 5239 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\SmarThruOptions.xml
2006-10-29 08:36 81920 --a
C:\Documents and Settings\Bosco Chan\Application Data\ezpinst.exe
2006-10-29 08:36 7176 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\pcouffin.cat
2006-10-29 08:36 47360 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\pcouffin.sys
2006-10-29 08:36 34 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\pcouffin.log
2006-10-29 08:36 1144 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\pcouffin.inf
2006-10-19 06:56 713216 --a
C:\WINDOWS\system32\sxs.dll
2006-10-13 05:35 65536 --a
C:\WINDOWS\system32\nwwks.dll
2006-10-13 05:35 64000 --a
C:\WINDOWS\system32\nwapi32.dll
2006-10-13 05:35 142336 --a
C:\WINDOWS\system32\nwprovau.dll
2006-10-07 23:23 98304 --a
C:\WINDOWS\system32\CmdLineExt.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Norton SystemWorks"="\"F:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 9.0"="F:\\Program Files\\Norton SystemWorks\\Norton Ghost\\Agent\\GhostTray.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"AWMON"="\"F:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D4C6923C-A11C-424E-93DF-342761AD3AF9}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070103-133930-251
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
backup-20070103-133930-504
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
backup-20070103-133930-669
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll (file missing)
backup-20070103-133930-442
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
backup-20070103-133930-687
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270002}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270002}\Update.exe" mc-110-12-0000272
backup-20070103-133930-632
O4 - HKLM\..\Run: [{182792B5-0705-1033-0923-030308270001}] "C:\Program Files\Common Files\{182792B5-0705-1033-0923-030308270001}\Update.exe" mc-110-12-0000272
backup-20070103-133930-963
O2 - BHO: (no name) - {D4C6923C-A11C-424E-93DF-342761AD3AF9} - C:\WINDOWS\system32\nnnmkhi.dll (file missing)
backup-20070103-133930-764
O2 - BHO: (no name) - {AF10ED83-2A4A-73CA-42D3-00F2CF541096} - C:\WINDOWS\system32\pohaib.dll (file missing)
backup-20070103-133930-304
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\daqegdor.dll
backup-20070103-133930-492
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
backup-20070103-133930-482
O2 - BHO: (no name) - {0C0A0FF7-684F-4727-8D11-E2E097A340F2} - C:\WINDOWS\system32\awtqo.dll (file missing)
backup-20070103-133930-272
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
backup-20070103-133930-575
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
backup-20070103-133930-667
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpy.job
Completion time: 07-01-03 14:50:07.35
C:\ComboFix.txt ... 07-01-03 14:50
3) Panda Report
Incident Status Location
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Bosco Chan\Application Data\Mozilla\Firefox\Profiles\55ugha3t.default\cookies.txt[.go.com/]
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Ipwindows\ipwins.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Ipwindows\ipwins.exe
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\NPROTECT\00000019.MOZ[.maxserving.com/]
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\NPROTECT\00000020.MOZ[.maxserving.com/]
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\NPROTECT\00000021.MOZ[.maxserving.com/]
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\NPROTECT\00000023.MOZ[.maxserving.com/]
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\NPROTECT\00000025.MOZ[.maxserving.com/]
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\NPROTECT\00000028.MOZ[.maxserving.com/]
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\NPROTECT\00000029.MOZ[.maxserving.com/]
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\NPROTECT\00000031.MOZ[.maxserving.com/]
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\NPROTECT\00000071.MOZ[.maxserving.com/]
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc10\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc11\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc3\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc4\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc5\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc6\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc7\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc8\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc9\system.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\efcbxus.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\rqrsrsq.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\smnughqo.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ssqpqnn.dll
Potentially unwanted tool:Application/Processor Not disinfected F:\Stuff\SmitfraudFix\Process.exe
4) New HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 3:42:38 PM, on 03/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
F:\Program Files\Mouse\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "F:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\adobe\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Mouse\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1. Find and delete the following folder (if present)
C:\Program Files\Ipwindows <-- this folder
2. Please download Killbox and save it to your desktop.
Next, copy everything in the Quote box below by pressing Ctrl+C Next, open Killbox
Go to the File tab and select Paste from Clipboard
Select the Delete on Reboot option
Select All Files
Now click on the Red Circle with the White X
Press Yes to reboot your computer.
3. Run ComboFix once more and post the new log back here. Also, let me know how things are.
Here is the combofix log:
Bosco Chan - 07-01-03 16:15:15.96 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Bosco Chan\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Bosco Chan\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\Bosco Chan\Application Data\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\Bosco Chan\My Documents\MBOLS~1
C:\QooBox\Purity\Documents and Settings\Bosco Chan\My Documents\STEM~1
C:\QooBox\Purity\Documents and Settings\Bosco Chan\My Documents\YSTEM3~1
C:\QooBox\Purity\Program Files\CURITY~1
C:\QooBox\Purity\Program Files\ECURIT~1
C:\QooBox\Purity\Program Files\MCROSO~1
C:\QooBox\Purity\Program Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1
C:\QooBox\Purity\WINDOWS\DOBE~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1
C:\QooBox\Purity\WINDOWS\YMBOLS~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\STEM~1
C:\QooBox\Purity\WINDOWS\system32\WNSXS~1
C:\QooBox\Purity\WINDOWS\system32\YSTEM3~1
((((((((((((((((((((((((((((((( Files Created from 2006-12-03 to 2007-01-03 ))))))))))))))))))))))))))))))))))
2007-01-03 16:11 <DIR> d
C:\!KillBox
2007-01-03 14:53 <DIR> d
C:\WINDOWS\system32\ActiveScan
2007-01-03 14:12 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-03 14:07 <DIR> d
C:\Program Files\Java
2007-01-03 14:07 <DIR> d
C:\Program Files\Common Files\Java
2007-01-03 12:58 <DIR> d
C:\VundoFix Backups
2007-01-03 12:56 88,064 --a
C:\VundoFix.exe
2007-01-03 12:17 <DIR> d
C:\HijackThis
2007-01-03 11:54 816,672 --a
C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-03 11:54 4,224 --a
C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-03 11:54 3,968 --a
C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-03 11:54 28,416 --a
C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-03 11:54 18,240 --a
C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-03 11:54 <DIR> dr-h
C:\$VAULT$.AVG
2007-01-03 11:54 <DIR> d
C:\Program Files\Grisoft
2007-01-03 11:54 <DIR> d
C:\Documents and Settings\Bosco Chan\Application Data\AVG7
2007-01-03 11:54 <DIR> d
C:\Documents and Settings\All Users\Application Data\Grisoft
2007-01-03 11:50 <DIR> d
C:\WINDOWS\system32\ZoneLabs
2007-01-03 11:50 <DIR> d
C:\WINDOWS\Internet Logs
2007-01-03 11:50 <DIR> d
C:\Program Files\Zone Labs
2007-01-02 20:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-01-02 20:04 <DIR> d
C:\Documents and Settings\Bosco Chan\Contacts
2007-01-01 12:43 <DIR> d
C:\WINDOWS\BDOSCAN8
2006-12-23 22:30 <DIR> d--h
C:\Program Files\Common Files\Uninstall Information
2006-12-21 15:52 <DIR> d
C:\Program Files\InstallShield Installation Information
2006-12-21 15:41 <DIR> d--hs---- C:\WINDOWS\ftpcache
2006-12-19 17:04 79,360 --a
C:\WINDOWS\system32\swxcacls.exe
2006-12-19 17:04 51,200 --a
C:\WINDOWS\system32\dumphive.exe
2006-12-17 09:55 8,464 --a
C:\WINDOWS\system32\sporder.dll
2006-12-16 17:42 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2006-12-16 17:42 <DIR> d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-05 22:00 <DIR> d
C:\Program Files\DivX
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-03 16:14
d
C:\Program Files\Mozilla Firefox
2007-01-03 14:59
d
C:\Program Files\WinRAR
2007-01-03 14:58
d
C:\Program Files\Internet Explorer
2007-01-03 14:49
d
C:\Program Files\Common Files
2007-01-02 20:04
d
C:\Program Files\MSN Messenger
2007-01-01 15:03
d
C:\Documents and Settings\Bosco Chan\Application Data\Lavasoft
2006-12-21 15:53 163644 --a
C:\WINDOWS\system32\drivers\secdrv.sys
2006-12-14 20:39
d
C:\Program Files\Outlook Express
2006-12-14 20:39
d
C:\Program Files\Common Files\System
2006-12-06 23:40 2362184 --a
C:\WINDOWS\system32\wmvcore.dll
2006-11-29 16:45 590878 --a
C:\WINDOWS\system32\uninstall.exe
2006-11-27 16:23
d---s---- C:\Documents and Settings\Bosco Chan\Application Data\Microsoft
2006-11-26 16:47
d
C:\Documents and Settings\Bosco Chan\Application Data\InstallShield
2006-11-19 16:04 28440 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\GDIPFONTCACHEV1.DAT
2006-11-18 00:27
d
C:\Program Files\MSXML 4.0
2006-11-13 21:36
d
C:\Program Files\Windows Media Player
2006-11-12 22:56
d
C:\Program Files\Online Services
2006-11-09 08:29
d
C:\Documents and Settings\Bosco Chan\Application Data\Vso
2006-11-09 08:21 223128 --a
C:\WINDOWS\system32\drivers\vaxscsi.sys
2006-11-07 22:06 679424 --a
C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a
C:\WINDOWS\system32\msxml4.dll
2006-11-01 20:45 5239 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\SmarThruOptions.xml
2006-10-29 08:36 81920 --a
C:\Documents and Settings\Bosco Chan\Application Data\ezpinst.exe
2006-10-29 08:36 7176 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\pcouffin.cat
2006-10-29 08:36 47360 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\pcouffin.sys
2006-10-29 08:36 34 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\pcouffin.log
2006-10-29 08:36 1144 --a--c--- C:\Documents and Settings\Bosco Chan\Application Data\pcouffin.inf
2006-10-19 06:56 713216 --a
C:\WINDOWS\system32\sxs.dll
2006-10-13 05:35 65536 --a
C:\WINDOWS\system32\nwwks.dll
2006-10-13 05:35 64000 --a
C:\WINDOWS\system32\nwapi32.dll
2006-10-13 05:35 142336 --a
C:\WINDOWS\system32\nwprovau.dll
2006-10-07 23:23 98304 --a
C:\WINDOWS\system32\CmdLineExt.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Norton SystemWorks"="\"F:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 9.0"="F:\\Program Files\\Norton SystemWorks\\Norton Ghost\\Agent\\GhostTray.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"AWMON"="\"F:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D4C6923C-A11C-424E-93DF-342761AD3AF9}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpy.job
Completion time: 07-01-03 16:15:56.79
C:\ComboFix.txt ... 07-01-03 16:15
C:\ComboFix2.txt ... 07-01-03 14:50
Let me know if we can mark this resolved?
Glad we could be of assistance! The help you received here was free. Please read through some of these Prevention Tips that Short-Media offers.
This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead
Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available at this link:
http://www.short-media.com/forum/showthread.php?t=29803