Trojan-Clicker

edited February 2007 in Spyware & Virus Removal
Hi!

Sorry for the inconvinience. Strange why I get these virus - don't visit forbidden pages or download bad stuff.

Anyways, will be glad, if u are able to help.
I have done the eight steps. Thank u - regards from Orest

first my hijack an then kaspersky:

Logfile of HijackThis v1.99.1
Scan saved at 17:52:40, on 24-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\ctpmon.exe
C:\WINDOWS\system32\ctpmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\scanner.exe\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dr.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctpmon] ctpmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163627954423
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163629580442
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winfvx32 - winfvx32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Kaspersky:

Wednesday, January 24, 2007 4:58:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/01/2007
Kaspersky Anti-Virus database records: 261415


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 25903
Number of viruses found 9
Number of infected objects 17 / 0
Number of suspicious objects 2
Duration of the scan process 01:04:07

Infected Object Name Virus Name Last Action
C:\ckib.exe Infected: Trojan-Clicker.Win32.Agent.is skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip/ishost.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\Jan Laugsen\.housecall6.6\Quarantine\MGSBAR.DLL.bac_a02976 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped

C:\Documents and Settings\Jan Laugsen\.housecall6.6\Quarantine\wdbdcuqt.exe.bac_a02976 Infected: not-a-virus:AdWare.Win32.Agent.at skipped

C:\Documents and Settings\Jan Laugsen\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Messenger\janlaugesen@hotmail.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Messenger\janlaugesen@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Messenger\janlaugesen@hotmail.com\SharingMetadata\Working\database_AA98_2BA8_982B_71CD\dfsr.db Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Messenger\janlaugesen@hotmail.com\SharingMetadata\Working\database_AA98_2BA8_982B_71CD\fsr.log Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Messenger\janlaugesen@hotmail.com\SharingMetadata\Working\database_AA98_2BA8_982B_71CD\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Messenger\janlaugesen@hotmail.com\SharingMetadata\Working\database_AA98_2BA8_982B_71CD\tmp.edb Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Windows Live Contacts\janlaugesen@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Windows Live Contacts\janlaugesen@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\History\History.IE5\MSHist012007012420070125\index.dat Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\Perflib_Perfdata_d0.dat Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\~DF275C.tmp Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\~DFB9B6.tmp Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\~DFB9C3.tmp Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\~DFC282.tmp Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\~DFC28F.tmp Object is locked skipped

C:\Documents and Settings\Jan Laugsen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jan Laugsen\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Jan Laugsen\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\nlwqd.exe Infected: Trojan-Clicker.Win32.Agent.is skipped

C:\Program Files\Yahoo!\Messenger\logs\billing_Jan Laugsen.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\client_Jan Laugsen.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\network_Jan Laugsen.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP25\A0007837.exe Object is locked skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP25\A0007871.exe Object is locked skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP25\A0008018.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP25\A0008045.exe Object is locked skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP27\A0008412.dll Object is locked skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP39\A0013175.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP45\A0015269.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP45\A0016385.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP45\A0016386.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP45\A0016441.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP46\A0016450.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped

C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP58\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{476E24D3-8639-4024-A6A7-FE71A103149C}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\awtustt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ej skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\ctpmon.exe Infected: Trojan-Clicker.Win32.Agent.is skipped

C:\WINDOWS\system32\rpcc.dll Object is locked skipped

C:\WINDOWS\system32\rqrstqo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ej skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Comments

  • Rahina-RescueRahina-Rescue Finland
    edited January 2007
    Please Give me some time to look over your logs, I will post as soon as I can.
  • Rahina-RescueRahina-Rescue Finland
    edited January 2007
    Let's take a look :)


    Please Download VundoFix.exe to your desktop.

    Double-click VundoFix.exe to run it.
    Click the Scan for Vundo button.


    Once it's done scanning, click the Remove Vundo buttonYou will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will reboot your computer, click OK.

    Please Post: Vundofix.txt & HJT log.
  • edited January 2007
    Hi again.
    Here is my hjt-log. U ask for vundofix.txt, but don't know how to do it?
    My internet is running very slowly an im not able to play wow as well:confused:

    Logfile of HijackThis v1.99.1
    Scan saved at 23:51:46, on 24-01-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\htpatch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctpmon.exe
    C:\WINDOWS\system32\ctpmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\scanner.exe\scanner.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctpmon] ctpmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163627954423
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163629580442
    O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
    O20 - Winlogon Notify: winfvx32 - winfvx32.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • Rahina-RescueRahina-Rescue Finland
    edited January 2007
    Sorry, Vundofix txt is Located

    C:\Vundofix.txt :)
  • edited January 2007
    oky doky :)

    here it is:

    VundoFix V6.3.2

    Checking Java version...

    Java version is 1.5.0.9

    Scan started at 23:32:11 24-01-2007

    Listing files found while scanning....

    C:\WINDOWS\system32\byxwv.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\byxwv.dll
    C:\WINDOWS\system32\byxwv.dll Has been deleted!

    Performing Repairs to the registry.
    Done!
  • Rahina-RescueRahina-Rescue Finland
    edited January 2007
    Please download SmitfraudFix (by S!Ri)


    Double-click SmitfraudFix.exe
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

    NOTE : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

    http://www.beyondlogic.org/consulting/proc...processutil.htm

    NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!
  • edited January 2007
    HI!

    hmm, the link to smitfraud-homepage doesn't work. Have tried to search on google, but get the message: page cannot be displayed?

    Orest
  • Rahina-RescueRahina-Rescue Finland
    edited January 2007
    Hmm, Please try again.
  • edited January 2007
    Hello :)

    Tried to download from about 10 different links, but page cannot be displayed. At the end I found a page, where i could download from.
    So, here is the report:

    Run from C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\autosys.exe FOUND !
    C:\WINDOWS\system32\ctpmon.exe FOUND !
    C:\WINDOWS\system32\RegistryCleanerSetup.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jan Laugsen


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jan Laugsen\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JANLAU~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
  • Rahina-RescueRahina-Rescue Finland
    edited January 2007
    You should print out these instructions, or Copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.



    Next, please reboot your computer in Safe Mode by doing the following :

    Restart your computer
    After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    Instead of Windows loading as normal, a menu with options should appear;
    Select the first option, to run Windows in Safe Mode, then press "Enter".
    Choose your usual account.



    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning : running option #2 on a non infected computer will remove your Desktop background.



    Please Post Smitfraudfix txt & HJT-log
  • edited January 2007
    Thax for the quick response :)

    Rapport follows:

    SmitFraudFix v2.135

    Scan done at 20:00:57,38, 26-01-2007
    Run from C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\autosys.exe Deleted
    C:\WINDOWS\system32\ctpmon.exe Deleted
    C:\WINDOWS\system32\RegistryCleanerSetup.exe Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
  • Rahina-RescueRahina-Rescue Finland
    edited January 2007
    Also post a Fresh Hijackthis log. ;)
  • edited January 2007
    HJT-log:

    Logfile of HijackThis v1.99.1
    Scan saved at 21:10:02, on 26-01-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\htpatch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\scanner.exe\scanner.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
    O4 - Startup: Reboot.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163627954423
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163629580442
    O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
    O20 - Winlogon Notify: winfvx32 - winfvx32.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • Rahina-RescueRahina-Rescue Finland
    edited January 2007
    Please download the Killbox by Option^Explicit.


    Note! In the event you already have Killbox, this is a new version that I need you to download.

    Save it to your desktop.
    Please double-click Killbox.exe to run it.
    Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\rpcc.dll

    Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    Select Delete on Reboot
    then Click on the Single File button.
    Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox,

    Click here. to download and run missingfilesetup.exe. Then try Killbox again.




    Open HijackThis and scan. When it finishes, put an X in the box next to these following item(s) and click fix checked.

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - Startup: Reboot.exe
    <- fix this item if it was not set by you
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
    O20 - Winlogon Notify: winfvx32 - winfvx32.dll (file missing)


    delete Reboot.exe from your startup folder.



    Download ATF-Cleaner by Atribune to your desktop.

    Do not run it yet.

    Run ATF Cleaner Under Main choose: Select All
    Click the Empty Selected button.

    If you use Firefox browser Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main menu to close the program.




    Kaspersky On-line Scanner

    When you are prompted to install an ActiveX component from Kaspersky, Click Yes.

    The program will launch and then begin downloading the latest definition files
    When the files finish downloading click on NEXT
    Now click on Scan Settings
    In Scan Settings make sure that the following are selected:
    Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)

    Scan Options:

    Scan Archives
    Scan Mail Bases


    Click OK

    Now under select a target to scan:
    Select My Computer
    This program will start and scan your system.
    Online scan can take a long time to complete and the time is impacted by the speed of your internet connection. Be patient and let it run. It is best not to do anything else while the scan is running. This will help it to complete faster.
    When the scan has completed, it will display whether your system has been infected or not
    Click on the Save as Text button:
    Save the file to your desktop or another folder where you can locate it later.
    Attach this file to your next message.

    Please Post a Fresh HJT-Log & Kaspersky Report

    Let me know how things are running :thumbsup:
  • edited January 2007
    Hi there.
    What do u mean with deleting reboot.exe from startfolder? I'm not sure, how to do that....

    My internet-connection runs faster now :)
    Now the Kapersky rapport says 11 viruses found - the last time I ran Kaspersky it said 9 viruses found, I think.

    Hjt-log :

    Logfile of HijackThis v1.99.1
    Scan saved at 13:27:58, on 27-01-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\htpatch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\scanner.exe\scanner.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163627954423
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163629580442
    O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    Kaspersky:

    Saturday, January 27, 2007 1:27:30 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.83.0
    Kaspersky Anti-Virus database last update: 27/01/2007
    Kaspersky Anti-Virus database records: 262661


    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true

    Scan Target My Computer
    A:\
    C:\
    D:\
    E:\

    Scan Statistics
    Total number of scanned objects 30990
    Number of viruses found 11
    Number of infected objects 22 / 0
    Number of suspicious objects 2
    Duration of the scan process 00:58:32

    Infected Object Name Virus Name Last Action
    C:\ckib.exe Infected: Trojan-Clicker.Win32.Agent.is skipped

    C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip/ishost.exe Suspicious: Password-protected-EXE skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip ZIP: suspicious - 1 skipped

    C:\Documents and Settings\Jan Laugsen\.housecall6.6\Quarantine\MGSBAR.DLL.bac_a02976 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped

    C:\Documents and Settings\Jan Laugsen\.housecall6.6\Quarantine\wdbdcuqt.exe.bac_a02976 Infected: not-a-virus:AdWare.Win32.Agent.at skipped

    C:\Documents and Settings\Jan Laugsen\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

    C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

    C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

    C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

    C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Messenger\janlaugesen@hotmail.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Messenger\janlaugesen@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Messenger\janlaugesen@hotmail.com\SharingMetadata\Working\database_AA98_2BA8_982B_71CD\dfsr.db Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Messenger\janlaugesen@hotmail.com\SharingMetadata\Working\database_AA98_2BA8_982B_71CD\fsr.log Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Messenger\janlaugesen@hotmail.com\SharingMetadata\Working\database_AA98_2BA8_982B_71CD\tmp.edb Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Windows Live Contacts\janlaugesen@hotmail.com\real\members.stg Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Application Data\Microsoft\Windows Live Contacts\janlaugesen@hotmail.com\shadow\members.stg Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\History\History.IE5\MSHist012007012720070128\index.dat Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\History\History.IE5\MSHist012007012720070128\index.dat Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\~DF369A.tmp Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\~DF36AE.tmp Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\~DFEF71.tmp Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Temp\~DFEFAF.tmp Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\Jan Laugsen\NTUSER.DAT.LOG Object is locked skipped

    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

    C:\nlwqd.exe Infected: Trojan-Clicker.Win32.Agent.is skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped

    C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped

    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP25\A0007837.exe Object is locked skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP25\A0007871.exe Object is locked skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP25\A0008018.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP39\A0013175.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP45\A0015269.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP45\A0016385.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP45\A0016386.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP45\A0016441.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP46\A0016450.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP59\A0020023.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP60\A0020058.exe Infected: Trojan-Downloader.Win32.Obfuscated.bh skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP60\A0020059.exe Infected: Trojan-Clicker.Win32.Agent.is skipped

    C:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP61\change.log Object is locked skipped

    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

    C:\WINDOWS\SchedLgU.Txt Object is locked skipped

    C:\WINDOWS\SoftwareDistribution\EventCache\{8C32D4AB-F305-4F8B-BDAA-1EE4045829C6}.bin Object is locked skipped

    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

    C:\WINDOWS\system32\awtustt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ej skipped

    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\default Object is locked skipped

    C:\WINDOWS\system32\config\default.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SAM Object is locked skipped

    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\SECURITY Object is locked skipped

    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

    C:\WINDOWS\system32\config\software Object is locked skipped

    C:\WINDOWS\system32\config\software.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\system Object is locked skipped

    C:\WINDOWS\system32\config\system.LOG Object is locked skipped

    C:\WINDOWS\system32\rqrstqo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ej skipped

    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    D:\System Volume Information\_restore{C80906CE-CF79-482E-870E-1C1F8C524233}\RP61\change.log Object is locked skipped

    E:\Utility\PCDJ\setupsilver.exe Infected: not-a-virus:AdWare.Win32.TimeSink.d skipped

    Scan process completed.
  • Rahina-RescueRahina-Rescue Finland
    edited January 2007
    The file should be located here :

    C:\Documents and Settings\Jan Laugsen\Start Menu\Startup\Reboot.exe


    Empty this folder:

    C:\Documents and Settings\Jan Laugsen\.housecall6.6\Quarantine


    Please go Here to see how to show hidden files in windows.



    Please Delete the follwing files, if found.

    C:\ckib.exe
    C:\nlwqd.exe
    C:\WINDOWS\system32\awtustt.dll
    C:\WINDOWS\system32\ctpmon.exe
    C:\WINDOWS\system32\rqrstqo.dll
    E:\Utility\PCDJ\setupsilver.exe



    Turn off System Restore.

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer.

    Turn ON System Restore.

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check Turn off System Restore.
    Click Apply, and then click OK.
    Click Create a Restore Point, and then click Next.
    Name your restore point.



    Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure


    Use ATF Cleaner
    Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

    Use AVG Anti-Spyware
    Update it and scan your computer regularly with it.

    Use CCleaner
    It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space.

    Install SpywareBlaster
    SpywareBlaster will prevent spyware from being installed.

    Install MVPS Hosts file
    This prevents your computer from connecting to harmful sites.

    Use Firefox browser
    Firefox is faster, safer and better browser than Internet Explorer.

    Keep your system up-to-date
    Visit Windows Update regularly.

    Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.

    Please let me know how things are running.
  • edited January 2007
    Things are running very good now. A very nice feeling. Thank u so much for the help. ;)
    Have another question, but dunno, if u are able to answer it....
    Since I got viruses I'm not able to play world of warcraft. U think the virus has infected the game. When I start running the game this message appears:
    Maybe I have to uninstall the game :(

    This application has encountered a critical error:

    ERROR #131 (0x85100083) File Corrupt
    Program: D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    File: DBFilesClient\Spell.dbc




    WoWBuild: 6337

    Stack Trace (Manual)

    Address Frame Logical addr Module

    006A566F 0012FDBC 0001:002A466F D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    006A9CB0 0012FDE0 0001:002A8CB0 D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    006A6995 0012FE08 0001:002A5995 D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    0069DAF8 0012FE18 0001:0029CAF8 D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    00590B72 0012FE40 0001:0018FB72 D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    00584330 0012FE70 0001:00183330 D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    00581F55 0012FEB0 0001:00180F55 D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    004232FA 0012FF18 0001:000222FA D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    004230A1 0012FF30 0001:000220A1 D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    00404B0E 0012FFC0 0001:00003B0E D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    7C816FD7 0012FFF0 0001:00015FD7 C:\WINDOWS\system32\kernel32.dll

    Stack Trace (Using DBGHELP.DLL)



    Loaded Modules

    0x00400000 - 0x00D9B000 D:\Games\World of Warcraft\World of Warcraft\WoW.exe
    0x00DA0000 - 0x00E30000 D:\Games\World of Warcraft\World of Warcraft\fmod.dll
    0x01530000 - 0x01648000 D:\Games\World of Warcraft\World of Warcraft\dbghelp.dll
    0x10000000 - 0x10069000 D:\Games\World of Warcraft\World of Warcraft\DivxDecoder.dll
    0x4FDD0000 - 0x4FF76000 C:\WINDOWS\system32\d3d9.dll
    0x5AD70000 - 0x5ADA8000 C:\WINDOWS\system32\uxtheme.dll
    0x5D090000 - 0x5D12A000 C:\WINDOWS\system32\COMCTL32.dll
    0x5ED00000 - 0x5EDCC000 C:\WINDOWS\system32\OPENGL32.dll
    0x68B20000 - 0x68B40000 C:\WINDOWS\system32\GLU32.dll
    0x6D990000 - 0x6D996000 C:\WINDOWS\system32\d3d8thk.dll
    0x71AA0000 - 0x71AA8000 C:\WINDOWS\system32\WS2HELP.dll
    0x71AB0000 - 0x71AC7000 C:\WINDOWS\system32\WS2_32.dll
    0x71AD0000 - 0x71AD9000 C:\WINDOWS\system32\WSOCK32.dll
    0x71BF0000 - 0x71C03000 C:\WINDOWS\system32\SAMLIB.dll
    0x73760000 - 0x737A9000 C:\WINDOWS\system32\DDRAW.dll
    0x73BC0000 - 0x73BC6000 C:\WINDOWS\system32\DCIMAN32.dll
    0x74720000 - 0x7476B000 C:\WINDOWS\system32\MSCTF.dll
    0x76390000 - 0x763AD000 C:\WINDOWS\system32\IMM32.dll
    0x76B40000 - 0x76B6D000 C:\WINDOWS\system32\WINMM.dll
    0x76F60000 - 0x76F8C000 C:\WINDOWS\system32\WLDAP32.dll
    0x77120000 - 0x771AC000 C:\WINDOWS\system32\OLEAUT32.dll
    0x771B0000 - 0x77256000 C:\WINDOWS\system32\WININET.dll
    0x773D0000 - 0x774D3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
    0x774E0000 - 0x7761D000 C:\WINDOWS\system32\ole32.dll
    0x77690000 - 0x776B1000 C:\WINDOWS\system32\NTMARTA.DLL
    0x77A80000 - 0x77B14000 C:\WINDOWS\system32\CRYPT32.dll
    0x77B20000 - 0x77B32000 C:\WINDOWS\system32\MSASN1.dll
    0x77BE0000 - 0x77BF5000 C:\WINDOWS\system32\MSACM32.dll
    0x77C00000 - 0x77C08000 C:\WINDOWS\system32\VERSION.dll
    0x77C10000 - 0x77C68000 C:\WINDOWS\system32\msvcrt.dll
    0x77D40000 - 0x77DD0000 C:\WINDOWS\system32\USER32.dll
    0x77DD0000 - 0x77E6B000 C:\WINDOWS\system32\ADVAPI32.dll
    0x77E70000 - 0x77F01000 C:\WINDOWS\system32\RPCRT4.dll
    0x77F10000 - 0x77F57000 C:\WINDOWS\system32\GDI32.dll
    0x77F60000 - 0x77FD6000 C:\WINDOWS\system32\SHLWAPI.dll
    0x77FE0000 - 0x77FF1000 C:\WINDOWS\system32\Secur32.dll
    0x7C800000 - 0x7C8F4000 C:\WINDOWS\system32\kernel32.dll
    0x7C900000 - 0x7C9B0000 C:\WINDOWS\system32\ntdll.dll
    0x7C9C0000 - 0x7D1D5000 C:\WINDOWS\system32\SHELL32.dll


    Memory Dump

    Stack: 1024 bytes starting at (ESP = 0012EFAC)

    * = addr ** *
    0012EFA0: 70 21 00 00 8C 08 6C 00 AC EF 12 00 70 21 00 00 p!....l.....p!..
    0012EFB0: A8 F1 12 00 00 00 00 00 AC EF 12 00 C4 EF 12 00 ................
    0012EFC0: 8C 08 6C 00 D8 EF 12 00 98 19 6A 00 70 21 00 00 ..l.......j.p!..
    0012EFD0: 03 00 00 00 00 00 00 00 54 FD 12 00 22 12 6A 00 ........T...".j.
    0012EFE0: 00 00 00 00 00 00 00 00 08 28 C7 01 DF 10 7D 01 .........(....}.
    0012EFF0: 20 F4 12 00 26 F3 12 00 44 00 61 00 74 00 61 00 ...&...D.a.t.a.
    0012F000: 5C 00 65 00 6E 00 47 00 42 00 5C 00 20 00 00 00 \.e.n.G.B.\. ...
    0012F010: F0 55 77 AC 4D 1A C7 01 90 E0 9B A5 0B 42 C7 01 .Uw.M........B..
    0012F020: 00 81 10 51 06 40 C7 01 00 00 00 00 D7 CC 00 00 ...Q.@..........
    0012F030: 63 00 73 00 5C 00 57 00 74 00 6F 00 73 00 2E 00 c.s.\.W.t.o.s...
    0012F040: 68 00 74 00 6D 00 6C 00 00 00 72 00 74 00 2E 00 h.t.m.l...r.t...
    0012F050: 75 00 72 00 6C 00 00 00 00 00 90 7C 40 FF 18 00 u.r.l......|@...
    0012F060: A0 FF 18 00 00 00 00 00 5C F0 12 00 6F F0 80 7C ........\...o..|
    0012F070: D4 F0 12 00 18 EE 90 7C 40 FF 18 00 12 00 00 00 .......|@.......
    0012F080: 90 F0 12 00 82 93 80 7C 12 00 00 00 A0 FF 18 00 .......|........
    0012F090: 56 F0 80 7C 54 FF 18 00 31 F0 80 7C 26 F3 12 00 V..|T...1..|&...
    0012F0A0: 08 D8 C3 01 79 C3 C4 01 06 00 00 80 00 00 00 00 ....y...........
    0012F0B0: A0 FF 18 00 00 F0 FD 7F 06 00 00 80 A0 DC C3 01 ................
    0012F0C0: 00 00 00 00 40 FF 18 00 A0 DC C3 01 9C F0 12 00 ....@...........
    0012F0D0: 00 00 00 00 B0 FF 12 00 A8 9A 83 7C 38 F0 80 7C ...........|8..|
    0012F0E0: FF FF FF FF 31 F0 80 7C 0F C7 6B 00 40 FF 18 00 ....1..|..k.@...
    0012F0F0: 54 68 69 73 20 61 70 70 6C 69 63 61 74 69 6F 6E This application
    0012F100: 20 68 61 73 20 65 6E 63 6F 75 6E 74 65 72 65 64 has encountered
    0012F110: 20 61 20 63 72 69 74 69 63 61 6C 20 65 72 72 6F a critical erro
    0012F120: 72 3A 0A 0A 45 52 52 4F 52 20 23 31 33 31 20 28 r:..ERROR #131 (
    0012F130: 30 78 38 35 31 30 30 30 38 33 29 20 46 69 6C 65 0x85100083) File
    0012F140: 20 43 6F 72 72 75 70 74 0A 50 72 6F 67 72 61 6D Corrupt.Program
    0012F150: 3A 09 44 3A 5C 47 61 6D 65 73 5C 57 6F 72 6C 64 :.D:\Games\World
    0012F160: 20 6F 66 20 57 61 72 63 72 61 66 74 5C 57 6F 72 of Warcraft\Wor
    0012F170: 6C 64 20 6F 66 20 57 61 72 63 72 61 66 74 5C 57 ld of Warcraft\W
    0012F180: 6F 57 2E 65 78 65 0A 46 69 6C 65 3A 09 44 42 46 oW.exe.File:.DBF
    0012F190: 69 6C 65 73 43 6C 69 65 6E 74 5C 53 70 65 6C 6C ilesClient\Spell
    0012F1A0: 2E 64 62 63 0A 0A 0A 0A 00 F1 12 00 D4 F1 12 00 .dbc............
    0012F1B0: 7F 56 41 00 FC 3F 02 00 00 F2 12 00 5A 30 41 00 .VA..?......Z0A.
    0012F1C0: 00 00 00 00 00 00 00 00 24 F2 12 00 0C F2 12 00 ........$.......
    0012F1D0: A1 38 41 00 00 F2 12 00 00 F2 12 00 18 F2 12 00 .8A.............
    0012F1E0: 00 F2 12 00 00 F2 12 00 22 F2 12 00 5E F2 12 00 ........"...^...
    0012F1F0: 66 F5 12 00 CC CC CC CC CC CC CC CC CC CC FB 3F f..............?
    0012F200: 00 00 00 00 E3 F2 12 00 01 00 00 00 44 F2 12 00 ............D...
    0012F210: 6E C8 40 00 E3 F2 12 00 E2 F2 12 00 E2 F2 12 00 n.@.............
    0012F220: 61 C7 40 00 E2 F2 12 00 30 00 00 00 01 00 00 00 a.@.....0.......
    0012F230: E2 F2 12 00 01 00 00 00 E0 F2 12 00 06 00 00 00 ................
    0012F240: 66 F5 12 00 A4 F2 12 00 BB C6 40 00 E0 F2 12 00 f.........@.....
    0012F250: 01 00 00 00 94 F2 12 00 00 00 00 00 00 00 00 00 ................
    0012F260: 05 00 00 00 94 F2 12 00 00 F3 12 00 00 00 00 00 ................
    0012F270: 00 F3 12 00 32 55 41 00 88 F2 12 00 00 0A D7 A3 ....2UA.........
    0012F280: F0 70 8D 00 E4 70 8D 00 00 00 00 00 00 00 00 00 .p...p..........
    0012F290: 80 CC CC CC 00 00 00 00 00 00 00 00 05 00 00 00 ................
    0012F2A0: F6 70 8D 00 0A F3 12 00 96 F2 12 00 D4 F2 12 00 .p..............
    0012F2B0: 7F 56 41 00 FC 3F 02 00 00 F3 12 00 5A 30 41 00 .VA..?......Z0A.
    0012F2C0: 00 00 BD 00 00 40 2F 00 24 F3 12 00 0C F3 12 00 .....@/.$.......
    0012F2D0: A1 38 41 00 00 F3 12 00 00 F3 12 00 18 F3 12 00 .8A.............
    0012F2E0: 00 F3 12 00 00 F3 12 00 22 F3 12 00 5E F3 12 00 ........"...^...
    0012F2F0: 66 F6 12 00 CC CC CC CC CC CC CC CC CC CC FB 3F f..............?
    0012F300: 00 00 00 00 E3 F3 12 00 01 00 00 00 44 F3 12 00 ............D...
    0012F310: 6E C8 40 00 E3 F3 12 00 E2 F3 12 00 E2 F3 12 00 n.@.............
    0012F320: 61 C7 40 00 E2 F3 12 00 30 00 00 00 01 00 00 00 a.@.....0.......
    0012F330: E2 F3 12 00 01 00 00 00 E0 F3 12 00 06 00 00 00 ................
    0012F340: 66 F6 12 00 A4 F3 12 00 BB C6 40 00 E0 F3 12 00 f.........@.....
    0012F350: 01 00 00 00 94 F3 12 00 00 00 00 00 00 00 00 00 ................
    0012F360: 05 00 00 00 94 F3 12 00 00 00 00 40 E1 7A 94 3F ...........@.z.?
    0012F370: 94 F3 12 00 FC F5 12 00 48 D9 40 00 66 00 00 00 ........H.@.f...
    0012F380: 14 F6 12 00 E8 F5 12 00 5E FC 12 00 F0 FF FF FF ........^.......
    0012F390: 00 00 00 00 69 D8 40 00 E0 F7 CD 00 10 00 00 00 ....i.@.........
    0012F3A0: 14 F6 12 00 E8 F5 12 00 5C FC 12 00 00 00 00 00 ........\.......



    ======================================================================
    Hardware/Driver Information:
    Processor: 0x0
    Page Size: 4096
    Min App Address: 0x10000
    Max App Address: 0x7ffeffff
    Processor Mask: 0x1
    Number of Processors: 1
    Processor Type: 586
    Allocation Granularity: 65536
    Processor Level: 6
    Processor Revision: 2049

    Percent memory used: 68
    Total physical memory: 536330240
    Free Memory: 169295872
    Page file: 1311068160
    Total virtual memory: 2147352576
  • Rahina-RescueRahina-Rescue Finland
    edited January 2007
    Well, you don't have any Viruses anymore on your system.

    I Suggest you reinstall WoW and try again. :)
  • edited February 2007
    Nice, my computer is running without any probs yet:)

    Have installed wow again, but get the message, that there is not enough space on the harddisk....I use 10,2 GB but only got 1,69 GB free space.
    But i worry, because I don't use all that space. Have looked at "add/remove" programs - the only things installed are virusscanner and that stuff.
    Have tried a disc-cleanup, but it's only possible to clean up the temporary internet files.

    u know whats wrong? Dunno, if the viruses have stolen my free space...
    Thanks, Orestus
  • Rahina-RescueRahina-Rescue Finland
    edited February 2007
    Sorry For the delay to your post, please let me know if you still nead my help :)
  • edited February 2007
    Hi

    No problem, im just glad that u could help:p

    wow is installed again an everything runs perfect.
    Thanks - Orest
  • Rahina-RescueRahina-Rescue Finland
    edited February 2007
    Glad I could be of assistance! The help you received here was free. Please read through some of these Prevention Tips that Short-Media offers.

    This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

    Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

    If you are not the user who started this thread, you must start a new Thread instead :)

    Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available here
This discussion has been closed.