PDA

View Full Version : trojan



agohel1
2007-09-13, 02:01
my comp kind of refreshed the screen, it will go black for a second Thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:01:54 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Comodo\CBOClean\BOCORE.exe
D:\Program Files\GameSpot\DownloadManager_Win32.exe
D:\WINDOWS\system32\DVDRAMSV.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\WINDOWS\system32\PnkBstrA.exe
d:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\PROGRA~1\Comodo\CBOClean\BOC424.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\MSOffice\Office\FINDFAST.EXE
D:\WINDOWS\system32\RAMASST.exe
D:\Program Files\GameSpot\GDM_TrayApp.exe
D:\Program Files\MagicDisc\MagicDisc.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Documents and Settings\Ashish\Desktop\HiJackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sfront.ijji.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [mcagent_exe] D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [BOC-424] D:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: GameSpot Download Manager.lnk = D:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: RAMASST.lnk = D:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - D:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: DNADownloader - CNET Networks - D:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - D:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe

agohel1
2007-09-13, 02:02
KASPERSKY ONLINE SCANNER REPORT
Wednesday, September 12, 2007 6:50:04 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 12/09/2007
Kaspersky Anti-Virus database records: 412614
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
N:\
Scan Statistics
Total number of scanned objects 129809
Number of viruses found 9
Number of infected objects 24
Number of suspicious objects 0
Duration of the scan process 05:54:23

Infected Object Name Virus Name Last Action
C:\e490b40bdde5757579cbbee721\sp2\spmsg.dll Object is locked skipped
C:\e490b40bdde5757579cbbee721\sp2\spuninst.exe Object is locked skipped
C:\e490b40bdde5757579cbbee721\sp2\update\eula.txt Object is locked skipped
C:\e490b40bdde5757579cbbee721\sp2\update\spcustom.dll Object is locked skipped
C:\e490b40bdde5757579cbbee721\sp2\update\update.exe Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR5D.tmp Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\That size part chin\license rule.exe Infected: Trojan.Win32.Obfuscated.en skipped
D:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\7vled7bw.default\cert8.db Object is locked skipped
D:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\7vled7bw.default\history.dat Object is locked skipped
D:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\7vled7bw.default\key3.db Object is locked skipped
D:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\7vled7bw.default\parent.lock Object is locked skipped
D:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\7vled7bw.default\search.sqlite Object is locked skipped
D:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\7vled7bw.default\urlclassifier2.sqlite Object is locked skipped
D:\Documents and Settings\Ashish\Application Data\WARNTYPEACE\Gram regs.exe Infected: Trojan.Win32.Obfuscated.en skipped
D:\Documents and Settings\Ashish\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.34d3240f.ini.inuse Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\Mozilla\Firefox\Profiles\7vled7bw.default\Cache\_CACHE_001_ Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\Mozilla\Firefox\Profiles\7vled7bw.default\Cache\_CACHE_002_ Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\Mozilla\Firefox\Profiles\7vled7bw.default\Cache\_CACHE_003_ Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Application Data\Mozilla\Firefox\Profiles\7vled7bw.default\Cache\_CACHE_MAP_ Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\History\History.IE5\MSHist012007091220070913\index.dat Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Temp\bisCE.exe Infected: Trojan.Win32.Obfuscated.en skipped
D:\Documents and Settings\Ashish\Local Settings\Temp\hpodvd09.log Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Temp\~DF6391.tmp Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\Documents and Settings\Ashish\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Ashish\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Ashish\NTUSER.DAT.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Program Files\GameSpot\logs\GameSpot_Download_Service.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15\A0006447.exe/mwsSetup.Zwinky.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15\A0006447.exe CAB: infected - 1 skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15\A0006453.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15\A0006455.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15\A0006456.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15\A0006457.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15\A0006458.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15\A0006459.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15\A0006460.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15\A0006461.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP17\A0007447.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26\A0010888.exe Infected: Trojan.Win32.Obfuscated.en skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26\A0010892.exe/file02 Infected: not-a-virus:AdWare.Win32.Lop.bo skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26\A0010892.exe/file13 Infected: Trojan.Win32.Obfuscated.en skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26\A0010892.exe Inno: infected - 2 skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26\A0010895.exe Infected: Trojan.Win32.Obfuscated.en skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26\A0010896.exe Infected: Trojan.Win32.Obfuscated.en skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26\A0010897.exe Infected: Trojan.Win32.Obfuscated.en skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26\A0010903.exe Infected: Trojan.Win32.Obfuscated.en skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26\A0010904.exe Infected: Trojan.Win32.Obfuscated.en skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26\A0010905.exe Infected: Trojan.Win32.Obfuscated.en skipped
D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP32\change.log Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Internet.evt Object is locked skipped
D:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
D:\WINDOWS\system32\config\OSession.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\Temp\mcafee_u178czirWgUcgzT Object is locked skipped
D:\WINDOWS\Temp\mcmsc_qbCsMQ2K0hCjG5O Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.

Mr_JAk3
2007-09-17, 21:15
Hello agohel1 and sorry for the delay.

You're infected.

Please Download NoLop to your desktop from one of the links below...
Link 1 (http://www.spywareedge.net/nolop/NoLop.exe)
Link 2 (http://www.spywaretimes.com/Tools/download/21/chk,ed0778d88843ca2625ab6208a197bcc5/)
Link 3 (http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16)
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx (http://www.boletrice.com/downloads/mscomctl.ocx) to your system32 folder then rerun the program.--

agohel1
2007-09-20, 02:23
im sorry for my delay

NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: D:\Documents and Settings\Ashish\Desktop
[9/19/2007]
[6:39:51 AM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

D:\Documents and Settings\Administrator\Application Data\Microsoft
D:\Documents and Settings\All Users\Application Data\Adobe
D:\Documents and Settings\All Users\Application Data\Ahead
D:\Documents and Settings\All Users\Application Data\Aol
D:\Documents and Settings\All Users\Application Data\Aol Downloads
D:\Documents and Settings\All Users\Application Data\Aol Ocp
D:\Documents and Settings\All Users\Application Data\Apple
D:\Documents and Settings\All Users\Application Data\Apple Computer
D:\Documents and Settings\All Users\Application Data\Boc424
D:\Documents and Settings\All Users\Application Data\Hp
D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
D:\Documents and Settings\All Users\Application Data\Lavasoft
D:\Documents and Settings\All Users\Application Data\Mcafee
D:\Documents and Settings\All Users\Application Data\Microsoft
D:\Documents and Settings\All Users\Application Data\Microsoft Help
D:\Documents and Settings\All Users\Application Data\Sonic
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
D:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
D:\Documents and Settings\All Users\Application Data\That Size Part Chin
D:\Documents and Settings\All Users\Application Data\Viewpoint
D:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
D:\Documents and Settings\All Users\Application Data\Yahoo!
D:\Documents and Settings\All Users\Application Data\Yahoo! Companion
D:\Documents and Settings\Ashish\Application Data\Acccore
D:\Documents and Settings\Ashish\Application Data\Adobe
D:\Documents and Settings\Ashish\Application Data\Ahead
D:\Documents and Settings\Ashish\Application Data\Apple Computer
D:\Documents and Settings\Ashish\Application Data\Ati
D:\Documents and Settings\Ashish\Application Data\Avsmedia
D:\Documents and Settings\Ashish\Application Data\Getrighttogo
D:\Documents and Settings\Ashish\Application Data\Google
D:\Documents and Settings\Ashish\Application Data\Groupworld
D:\Documents and Settings\Ashish\Application Data\Help -- EMPTY Directory
D:\Documents and Settings\Ashish\Application Data\Hp
D:\Documents and Settings\Ashish\Application Data\Identities
D:\Documents and Settings\Ashish\Application Data\Ijjigame
D:\Documents and Settings\Ashish\Application Data\Installshield
D:\Documents and Settings\Ashish\Application Data\Lavasoft
D:\Documents and Settings\Ashish\Application Data\Macromedia
D:\Documents and Settings\Ashish\Application Data\Mcafee
D:\Documents and Settings\Ashish\Application Data\Microsoft
D:\Documents and Settings\Ashish\Application Data\Mozilla
D:\Documents and Settings\Ashish\Application Data\Securom
D:\Documents and Settings\Ashish\Application Data\Skaya -- EMPTY Directory
D:\Documents and Settings\Ashish\Application Data\Sun
D:\Documents and Settings\Ashish\Application Data\Teamspeak2
D:\Documents and Settings\Ashish\Application Data\Vlc
D:\Documents and Settings\Ashish\Application Data\Warntypeace
D:\Documents and Settings\Ashish\Application Data\Winpatrol
D:\Documents and Settings\Ashish\Application Data\Xfire
D:\Documents and Settings\Ashish\Application Data\Yahoo!
D:\Documents and Settings\Default User\Application Data\Microsoft
D:\Documents and Settings\Hina\Application Data\Adobe
D:\Documents and Settings\Hina\Application Data\Ati
D:\Documents and Settings\Hina\Application Data\Google
D:\Documents and Settings\Hina\Application Data\Identities
D:\Documents and Settings\Hina\Application Data\Macromedia
D:\Documents and Settings\Hina\Application Data\Microsoft
D:\Documents and Settings\Hina\Application Data\Mozilla
D:\Documents and Settings\Hina\Application Data\Yahoo!
D:\Documents and Settings\Kishore\Application Data\Adobe
D:\Documents and Settings\Kishore\Application Data\Apple Computer
D:\Documents and Settings\Kishore\Application Data\Ati
D:\Documents and Settings\Kishore\Application Data\Google
D:\Documents and Settings\Kishore\Application Data\Hp
D:\Documents and Settings\Kishore\Application Data\Identities
D:\Documents and Settings\Kishore\Application Data\Lavasoft
D:\Documents and Settings\Kishore\Application Data\Macromedia
D:\Documents and Settings\Kishore\Application Data\Microsoft
D:\Documents and Settings\Kishore\Application Data\Mozilla
D:\Documents and Settings\Kishore\Application Data\Sun
D:\Documents and Settings\Localservice\Application Data\Microsoft
D:\Documents and Settings\Networkservice\Application Data\Microsoft
D:\Documents and Settings\Pooja\Application Data\Adobe
D:\Documents and Settings\Pooja\Application Data\Ati
D:\Documents and Settings\Pooja\Application Data\Google
D:\Documents and Settings\Pooja\Application Data\Identities
D:\Documents and Settings\Pooja\Application Data\Macromedia
D:\Documents and Settings\Pooja\Application Data\Microsoft
D:\Documents and Settings\Pooja\Application Data\Mozilla
D:\Documents and Settings\Pooja\Application Data\Yahoo!


Logfile of HijackThis v1.99.1
Scan saved at 7:24:04 PM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Comodo\CBOClean\BOCORE.exe
D:\Program Files\GameSpot\DownloadManager_Win32.exe
D:\WINDOWS\system32\DVDRAMSV.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
D:\Program Files\McAfee.com\Agent\mcagent.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\PROGRA~1\Comodo\CBOClean\BOC424.exe
D:\Program Files\iTunesHelper.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\PnkBstrA.exe
C:\MSOffice\Office\FINDFAST.EXE
D:\WINDOWS\system32\RAMASST.exe
D:\Program Files\GameSpot\GDM_TrayApp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Ashish\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sfront.ijji.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [mcagent_exe] D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [BOC-424] D:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: GameSpot Download Manager.lnk = D:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: RAMASST.lnk = D:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - D:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: DNADownloader - CNET Networks - D:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - D:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe

Mr_JAk3
2007-09-20, 18:37
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Open "My Computer" and delete the following folders (if present):
D:\Documents and Settings\All Users\Application Data\That Size Part Chin
D:\Documents and Settings\Ashish\Application Data\Warntypeace

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

agohel1
2007-09-21, 23:38
hey

setup.exe;D:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2;Probably BACKDOOR.Trojan;Incurable.Moved.;
Delta reservation.htm;D:\Documents and Settings\Kishore\Desktop;Win32.HLLM.Graz;Incurable.Moved.;
KLM Reservation.htm;D:\Documents and Settings\Kishore\Desktop;Win32.HLLM.Graz;Incurable.Moved.;
mcupdmgr.exe;D:\Program Files\McAfee\MSC;Probably DLOADER.Trojan;Incurable.Moved.;
A0006456.DLL;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15;Adware.Msearch;Incurable.Moved.;
A0006457.DLL;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15;Adware.Websearch;Incurable.Moved.;
A0006458.DLL;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15;Trojan.Isbar.438;Deleted.;
A0006460.DLL;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15;Adware.Funweb;Incurable.Moved.;
A0006461.SCR;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP15;Adware.Msearch;Incurable.Moved.;
A0007447.DLL;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP17;Adware.Websearch;Incurable.Moved.;
A0010888.exe;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26;Trojan.Packed.149;Incurable.Moved.;
A0010895.exe;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26;Trojan.Packed.149;Incurable.Moved.;
A0010896.exe;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26;Trojan.Swizzor;Deleted.;
A0010897.exe;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26;Trojan.Packed.149;Incurable.Moved.;
A0010903.exe;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26;Trojan.Packed.149;Incurable.Moved.;
A0010904.exe;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26;Trojan.Swizzor;Deleted.;
A0010905.exe;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP26;Trojan.Packed.149;Incurable.Moved.;
A0016151.exe;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP32;Probably DLOADER.Trojan;Incurable.Moved.;
A0017130.exe;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP33;Probably DLOADER.Trojan;Incurable.Moved.;
MFEX-3.DAT;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP33\snapshot;Probably DLOADER.Trojan;Incurable.Moved.;
A0019684.exe;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP41;Trojan.Packed.149;Incurable.Moved.;
A0019685.exe;D:\System Volume Information\_restore{7446CE2F-3AE5-4741-89ED-45242DB000CC}\RP41;Trojan.Swizzor;Deleted.;
HGStart9USA.exe;D:\WINDOWS\Downloaded Program Files;Probably DLOADER.Trojan;Incurable.Moved.;


Logfile of HijackThis v1.99.1
Scan saved at 4:40:15 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Comodo\CBOClean\BOCORE.exe
D:\Program Files\GameSpot\DownloadManager_Win32.exe
D:\WINDOWS\system32\DVDRAMSV.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\PROGRA~1\Comodo\CBOClean\BOC424.exe
D:\Program Files\iTunesHelper.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\MSOffice\Office\FINDFAST.EXE
D:\WINDOWS\system32\RAMASST.exe
D:\Program Files\GameSpot\GDM_TrayApp.exe
D:\Program Files\MagicDisc\MagicDisc.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\PnkBstrB.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Ashish\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sfront.ijji.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [mcagent_exe] D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [BOC-424] D:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: GameSpot Download Manager.lnk = D:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: RAMASST.lnk = D:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - D:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: DNADownloader - CNET Networks - D:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - D:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - D:\WINDOWS\system32\PnkBstrB.exe

Mr_JAk3
2007-09-22, 17:39
Looks pretty good, how is the pc running?

agohel1
2007-09-22, 17:45
its running fine, but my macafee still says that it has problems to be fixed so it says to reintall it

i need to do that

Thank You for all your help.

Mr_JAk3
2007-09-23, 12:59
Hi :)

Ok one McAfee component was quarantined during the cleaning. If you haven't yet re-installed it we may just restore this component.


You can remove the tools we used.

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)