PDA

View Full Version : Can't seem to get rid of Altnet



ZeldaManiac44
2007-12-06, 03:45
I ran Spybot and successfuly fixed/removed 900, yes 900 problems from my friend's PC, her's is probably the worst case of a spyware infection I've ever seen. Spybot seemed to fix all though, just one persistently resurfaces: Altnet.

There's two entries

1. HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AltnetPointsManager
2. HKLM\Software\Altnet

The first entry I've "fixed" twice. The second always returns a message that says "1 problem could not be fixed. The file may be in use [memory]. Can Spybot run at the next Startup?"

I restarted the PC and Spybot scanned as promised at Startup, before other programs could launch. It returned the same two Altnet entries (The first returned) and again the same thing occured, where SB was able to fix the first, but not the second.

I've even tried navigating to the Registry path (in RegEdit) and deleting the folder with a right-click. I get a message: "Cannot delete Altnet, Error while deleting key."

In a third scan a SurfSidekick entry resurfaced (one of the 900 I seemingly eliminated without a problem earlier). The PC seems back up to it's normal speed though, both concerning the CPU and the Internet connection. Does this mean Altnet is dormant? What's going on here, should I ingnore this until the PC slows or shows symptoms again?

It's interesting, the PC only stopped showing symptoms (slowness) after I removed AltNet through the Add/Remove Programs box in the Control Panel. I did a fourth scan just now, and Altnet is still there. It also appears in Regedit. But the PC seems ok for now. ???

ZeldaManiac44
2007-12-06, 03:55
HJT also detects traces of Altnet, in a differnt location. I highlighted it.

And I forgot to mention in the previous post, my address bar is gone. (IE) It's been replaced by a BHO, a search bar to be specific. Need2Find search bar, it redirects me to ka.search.need2find.com, at least I think that's the URL based on the properties of page elements, because without a n Address bar I can't see the URL of any page I'm surfing!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:44:53 PM, on 12/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\vypqj.exe
C:\WINDOWS\system32\uaw5wah6a.exe
C:\WINDOWS\system32\FNTS~1\wucrtupd.exe
C:\141ts.exe
C:\WINDOWS\system32\?ymbols\s?chost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\ujtnzbw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Maree\Desktop\HJ This!\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.eyeseek.com/firstsite.asp?b=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.eyeseek.com/firstsite.asp?b=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5401
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5401;update.microsoft.com;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;*mcafee.com;*.mapquest.com;*.phobos.apple.com;update.adobe.com;admin.isp.netscape.com;localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\oxvof.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,asdrpgo.exe,ddjfihw.exe
O2 - BHO: BHO - {00000185-C745-43D2-44F1-01A1C789C738} - C:\PROGRA~1\SB\SMART-~1\BHO010~1.DLL
O2 - BHO: (no name) - {03E1C68A-CC6E-4CB9-AF4E-23EC39740464} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {ffe5968f-d92f-1629-9974-34b22c72d311} - {113d27c2-2b43-4799-9261-f29df8695eff} - C:\WINDOWS\system32\ppftettw.dll
O2 - BHO: (no name) - {215972D1-9B40-4298-99B4-DF94B1114E48} - \
O2 - BHO: Internet Explorer Plugin - {42E8CF0E-948C-4FBE-B0CB-A39AD4304C28} - C:\WINDOWS\system32\PluginE.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {90DFDB3B-688A-4859-DE2B-3CE6778F58C7} - C:\WINDOWS\system32\rwq.dll
O2 - BHO: (no name) - {B5E95C0B-4AED-4858-AC85-B5587EC6AEDf} - C:\WINDOWS\system32\veimhtnv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Glwcick Class - {BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F} - C:\WINDOWS\system32\lqe2z.dll
O2 - BHO: (no name) - {D6E1549C-1F86-4E82-9150-384E4F502E48} - C:\WINDOWS\system32\vtutt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [jvef22f2] RUNDLL32.EXE w4805cf1.dll,n 005f22ed000000034805cf1
O4 - HKLM\..\Run: [pVRV3eP] C:\WINDOWS\system32\ujtnzbw.exe
O4 - HKLM\..\Run: [sfpJk] "C:\WINDOWS\system32\ovauma1ep.exe"
O4 - HKLM\..\Run: [uaw5wah] C:\WINDOWS\system32\ujtnzbw.exe
O4 - HKLM\..\Run: [mkyibm] C:\WINDOWS\system32\bxlwxc.exe reg_run
O4 - HKLM\..\Run: C:\WINDOWS\system32\xofjfb.exe reg_run
O4 - HKLM\..\Run: [pVRV:oo] C:\WINDOWS\system32\ujtnzbw.exe
O4 - HKLM\..\Run: [uaw5waP] C:\WINDOWS\system32\ujtnzbw.exe
O4 - HKLM\..\Run: [uaw5wah6a.exe] C:\WINDOWS\system32\ujtnzbw.exe
O4 - HKLM\..\Run: [2caaf151] rundll32.exe "C:\WINDOWS\system32\eolopomc.dll",b
[B]O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\RunOnce: [SpybotDeletingA4265] command /c del "C:\Documents and Settings\Maree\Local Settings\Temp\i6A.tmp_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC210] cmd /c del "C:\Documents and Settings\Maree\Local Settings\Temp\i6A.tmp_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\system32\FNTS~1\wucrtupd.exe" -vt yazb
O4 - HKCU\..\Run: [qmkf] C:\141ts.exe
O4 - HKCU\..\Run: [Psqs] C:\WINDOWS\system32\?ymbols\s?chost.exe
O4 - HKCU\..\Run: [wmwpy] C:\WINDOWS\system32\xofjfb.exe reg_run
O4 - HKCU\..\Run: [ihgjd] C:\WINDOWS\system32\xofjfb.exe reg_run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Maree\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\Player\__CDS2.dll (file missing)
O18 - Protocol: maven-8110 - {26715F6A-2566-402B-8EB7-02897920D38A} - C:\Program Files\sonymovies\bin\bin-0\protocolHandler.dll
O18 - Filter hijack: text/html - {8660A526-27A4-4FBD-85B2-857E82A25971} - C:\WINDOWS\system32\lqe2z.dll
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 11357 bytes

Mr_JAk3
2007-12-09, 13:02
Hello ZeldaManiac44 and welcome to the Forums :)

You got a nice load of infections there...

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

ZeldaManiac44
2007-12-10, 04:35
Good Day Mr. Jak3. :)

I wish I could change the title and opening post of this thread, now that I've realized Altnet is the least of my problems. I was naive to assume that just because Spybot didn't detect any other variants meant that my system was clean except for that one. Yes, Spybot has improved their definitions greatly over the years amassing many of them, but Spybot is not a panacea, no software program is.

I suppose I was in denial, thinking that since I "fixed" 900 problems with Spybot, there couldn’t possibly be any more right? Some of those same variants have returned btw, and I thought the SD Helper was supposed to block them? I need more layers of protection. I'll probably download Spyware Blaster in a bit. This PC has returned to it’s slow, stalling, lagging state of operation and it’s a big hassle just to do simple tasks, for example it takes on average 30 mins to navigate to and post on these forums.

This machine is in far worse shape then I first thought. As I said earlier this is my friend's PC, and her family members haven't been exercising enough care in what they download, they use P2P like Kazaa and Limewire, the former being especially notorious. They were trying to find music, no doubt.

There was an Anti-Virus on this person's PC the whole time and I didn't know it until I saw it enumerated in HTJ. I can understand HJT logs, and recognize most problems, but I post them here just to be sure I don't remove any vital system files. I would particularly like to know what svchost.exe is and why there are 7 running processes with that name (even now) on this machine, they use quite a bit of CPU resources, about 5Mbps.

I've already deleted the 141ts.exe entry with HJT, because norton detected that as a Trojan, it also detected a 180 solutions variant res.exe, or something. But only 3 entries total were found in Norton's scan, the subscription has expired a year or so ago, so it's not up-to-date. (I did an online Kaspersky scan and saved the report, I'll post that soon.) Other entries I've removed with HJT include the following:


C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.eyeseek.com/firstsite.asp?b=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.eyeseek.com/firstsite.asp?b=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [qmkf] C:\141ts.exe
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe

I wanted to remove all "branding" from IE, to see if that would fix the absence of the address/URL bar, in an ironic twist, now I don't have any way to input URL or search with the Need2Find bar, since that's gone. I had to set my homepage as Google, now I access the forms by searching for "Safer Networking". This all serves to worsen the browsing experience, because everything lags, not due to lack of in connection speed, but the processor, clogged with so much malware that it’s resources are limited. (I also removed all traces of Netzero, because that‘s no longer her ISP, it‘s now Grande Communications Ltd.)

ZeldaManiac44
2007-12-10, 04:47
EDIT:

I forgot to mention this. I did download combofix.exe, and ran it with TeaTimer disabled. It's a command line program, so it ran in the DOS prompt box (I'm running WinXP HE) I didn't click in the window like you warned. The program said this.
"Scaning system for errors. This should only take 10 mins, but on a heavily infected machine this time could easily double"I let it run (with monitor off) for about 3 and a half hours. It stayed the same, displaying that message.

I ran CWShredder (Trend Micro) and it detected one variant called CWS.HiddenDLL, there was no button for "Fix" or "Remove" though, only an "Exit" button after the scan. I re-scanned and sure enough it detected CWS.HiddenDLL again.

ZeldaManiac44
2007-12-10, 05:45
Here's the Kaspersky log report, I removed all Spybot, HJT backups, Norton Quarentines etc. And I tried to embolden almost all the Infected entries (Except where there were several in a group, and I only embolden the first entry of that group). I hope it all helps make the log easier to read.

FYI, I downloaded VundoFix 6.7.0 (http://www.atribune.org/ccount/click.php?id=4) and am running a scan at this very moment.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 08, 2007 11:05:55 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/12/2007
Kaspersky Anti-Virus database records: 477154
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 74991
Number of viruses found: 128
Number of infected objects: 434
Number of suspicious objects: 4
Duration of the scan process: 03:24:07

Infected Object Name / Virus Name / Last Action
C:\ac3_0003.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\ccc222138.hta Infected: Trojan-Dropper.VBS.Inor.cn skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7497071f69cf00c7a3d509346a9b45d0_5880a8d3-04ad-45ed-aa25-78ac326cb208 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea563f5ed0b8ea72081a19b9b561dd25_5880a8d3-04ad-45ed-aa25-78ac326cb208 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Antonio!\Local Settings\Temp\Instant-Access.exe Infected: Trojan.Win32.Dialer.eg skipped
C:\Documents and Settings\Antonio!\Local Settings\Temp\{B}res36.tmp[/B] Infected: not-a-virus:AdWare.Win32.180Solutions.az skipped
C:\Documents and Settings\Antonio!\Local Settings\Temp\{B}res3D.tmp/clientax.dll{/B} Infected: not-a-virus:AdWare.Win32.180Solutions.k skipped
C:\Documents and Settings\Antonio!\Local Settings\Temp\{B}res3D.tmp{/B} CAB: infected - 1 skipped
C:\Documents and Settings\Antonio!\Local Settings\Temp\{B}res3F.tmp{/B} Infected: not-a-virus:AdWare.Win32.180Solutions.k skipped
C:\Documents and Settings\Antonio!\Local Settings\Temp\{B}resAE.tmp{/B} Infected: not-a-virus:AdWare.Win32.180Solutions.az skipped
C:\Documents and Settings\Antonio!\Local Settings\Temp\{B}resB5.tmp/clientax.dll{/B} Infected: not-a-virus:AdWare.Win32.180Solutions.k skipped
C:\Documents and Settings\Antonio!\Local Settings\Temp\{B}resB5.tmp{/B} CAB: infected - 1 skipped
C:\Documents and Settings\Antonio!\Local Settings\Temp\Zango\AirHockey\{B}InstallerShell.exe{/B} Infected: not-a-virus:AdWare.Win32.180Solutions.az skipped
C:\Documents and Settings\Antonio!\Local Settings\Temp\Zango\messenger\{B}InstallerShell.exe{/B} Infected: not-a-virus:AdWare.Win32.180Solutions.az skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Maree\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Maree\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Maree\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Maree\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Maree\Local Settings\History\History.IE5\MSHist012007120820071209\index.dat Object is locked skipped
C:\Documents and Settings\Maree\Local Settings\Temp\{B}!update.exe{/B} Infected: Trojan-Downloader.Win32.PurityScan.ek skipped
C:\Documents and Settings\Maree\Local Settings\Temp\Perflib_Perfdata_fa0.dat Object is locked skipped
C:\Documents and Settings\Maree\Local Settings\Temporary Internet Files\Content.IE5\0A5FANCA\!update-4300[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.ek skipped
C:\Documents and Settings\Maree\Local Settings\Temporary Internet Files\Content.IE5\8POR8BS3\UserStatusChange[2].html Object is locked skipped
C:\Documents and Settings\Maree\Local Settings\Temporary Internet Files\Content.IE5\GYPHRVME\{B}ptch[1]{/B} Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\Documents and Settings\Maree\Local Settings\Temporary Internet Files\Content.IE5\HUZEWLPH\{B}!update-4395[1].0000{/B} Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\Documents and Settings\Maree\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Maree\Local Settings\Temporary Internet Files\Content.IE5\LFAGWQJ4\{B}hctp[1]{/B} Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\Maree\ntuser.dat Object is locked skipped
C:\Documents and Settings\Maree\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_Vista.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_Vista_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Other.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Urgent.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Welcome.dat Object is locked skipped
C:\Program Files\BigFix\__Data\__Global\Logs\20071207.log Object is locked skipped
C:\Program Files\Common Files\ljllrlbc\alnhlrre\daltcrnp.exe {B}Infected{/B}: not-a-virus:AdWare.Win32.Gator.a skipped
C:\Program Files\Common Files\ljllrlbc\lprhnafanl\lclrcjtll.exe {B}Infected{/B}: not-a-virus:AdWare.Win32.Gator.a skipped
C:\Program Files\InstallShield Installation Information\{68D5CEF9-0DA8-47FE-B0EB-4CBFB5AAF662}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{6C651250-2EB2-11D5-8E33-0050DAD72AC2}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{D1B3874F-3057-11D6-B2EA-0050BA18806B}\setup.ilg Object is locked skipped
C:\Program Files\Livestream\Livestream.exe {B}Infected{/B}: Trojan.Win32.Dialer.eg skipped
C:\Program Files\Need2Find\bar\1.bin\N2PLUGIN.DLL {B}Infected{/B}: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL {B}Infected{/B}: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\Program Files\Need2Find\bar\1.bin\NPND2FN.DLL {B}Infected{/B}: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Outerinfo\FF\components\FF.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\Program Files\Outerinfo\OiUninstaller.exe/data0002 {B}Infected{/B}: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\Program Files\Outerinfo\OiUninstaller.exe/data0003 {B}Infected{/B}: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Program Files\Outerinfo\OiUninstaller.exe NSIS: infected - 2 skipped
C:\Program Files\Real\RealPlayer\118.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\120.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\155.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\220.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\33.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\52.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\72.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\73.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\pref.gd Object is locked skipped
C:\Program Files\SB\Smart-Browser\BHO.0.1.0.155.dll Infected: not-a-virus:AdWare.Win32.Thingies skipped
C:\Program Files\Zango Applications\Zango Messenger\ZangoInstaller.exe/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.k skipped
C:\Program Files\Zango Applications\Zango Messenger\ZangoInstaller.exe CAB: infected - 1 skippedC:\RECYCLER\S-1-5-21-2224273674-2354059487-8045495-1009\Dc9.dat Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP850\A0423562.exe Infected: Trojan-Downloader.Win32.PurityScan.cx skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP850\change.log Object is locked skipped
C:\VSL.dl_ {B}Infected{/B}: Trojan-Downloader.Win32.Small.ctp skipped
C:\w77uxb8v9.exe {B}Infected{/B}: Trojan-Downloader.Win32.Agent.ala skipped
C:\WINDOWS\bak\ofmdcn.exe {B}Infected{/B}: not-a-virus:AdWare.Win32.180Solutions.ae skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system\cpc.dll {B}Infected{/B}: not-a-virus:AdWare.Win32.Virtumonde.dq skipped
C:\WINDOWS\system32\aoqvfesp.dll {B}Infected{/B}: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\bak\fmotewpv.exe {B}Infected{/B}: not-a-virus:AdWare.Win32.HotBar.bq skipped
C:\WINDOWS\system32\bak\requester.12.exe {B}Infected{/B}: Trojan-Proxy.Win32.Delf.h skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\Software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\System Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dhtmlexe.exe {B}Infected{/B}: Trojan.Win32.Dialer.eg skipped
C:\WINDOWS\system32\drei.exe {B}Infected{/B}: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\WINDOWS\system32\eltnq.dat {B}Infected{/B}: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\WINDOWS\system32\fjnhiuwn.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\WINDOWS\system32\fmotewpv.exe Infected: not-a-virus:AdWare.Win32.HotBar.bw skipped
C:\WINDOWS\system32\Fοnts\wucrtupd.exe Infected: Trojan-Downloader.Win32.PurityScan.ek skipped
C:\WINDOWS\system32\gabhawwx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aku skipped
C:\WINDOWS\system32\gugpkjcn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\gwtohoir.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bkm skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hytvrsud.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\WINDOWS\system32\iynsecvv.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.b skipped
C:\WINDOWS\system32\jpxfesiw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\kkygwmqr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aku skipped
C:\WINDOWS\system32\lkyaekrrr.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\WINDOWS\system32\lqe2z.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\WINDOWS\system32\lxhzvhku.exe/data0006/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions.ay skipped
C:\WINDOWS\system32\lxhzvhku.exe/data0006/data0003 Infected: not-a-virus:AdWare.Win32.180Solutions.ay skipped
C:\WINDOWS\system32\lxhzvhku.exe/data0006/data0004 Infected: not-a-virus:AdWare.Win32.180Solutions.ay skipped
C:\WINDOWS\system32\lxhzvhku.exe/data0006 Infected: not-a-virus:AdWare.Win32.180Solutions.ay skipped
C:\WINDOWS\system32\lxhzvhku.exe NSIS: infected - 4 skipped
C:\WINDOWS\system32\mljjg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\WINDOWS\system32\mllml.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\WINDOWS\system32\mscornet.exe Infected: Trojan-Downloader.Win32.Zlob.aq skipped
C:\WINDOWS\system32\oejdhmyb.dll Infected: Trojan.Win32.BHO.rd skipped
C:\WINDOWS\system32\ovauma1ep.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\WINDOWS\system32\pi2pl.exe Infected: Trojan.Win32.Runner.j skipped
C:\WINDOWS\system32\PluginE.dll Infected: not-a-virus:AdWare.Win32.Domhel.b skipped
C:\WINDOWS\system32\ppftettw.dll {B}Infected{/B}: Trojan.Win32.BHO.zo skipped
C:\WINDOWS\system32\pribhhbb.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\WINDOWS\system32\pvbcjxbi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bkm skipped
C:\WINDOWS\system32\qxwgsawq.dll Infected: Trojan.Win32.BHO.zo skipped
C:\WINDOWS\system32\qyhttpwg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aku skipped
C:\WINDOWS\system32\requester.11.exe Infected: Trojan-Proxy.Win32.Delf.h skipped
C:\WINDOWS\system32\rhyjoucg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bkm skipped
C:\WINDOWS\system32\rwq.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\WINDOWS\system32\ssttt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\WINDOWS\system32\tngxhafw.dll {B}Infected{/B}: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\WINDOWS\system32\uaw5wah6a.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.j skipped
C:\WINDOWS\system32\utljambh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\veimhtnv.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\WINDOWS\system32\vtsqp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\WINDOWS\system32\vypqj.exe Infected: Trojan.Win32.Runner.j skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32dP8E:ooF:$DATA {B}Infected{/B}: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\WINDOWS\system32drei:ooF:$DATA Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\WINDOWS\system32drei.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\WINDOWS\system32drei.ooF Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\WINDOWS\system32eP8E:ooF:$DATA Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\WINDOWS\system32eP8E:ooFe:$DATA Infected: Trojan.Win32.Runner.j skipped
C:\WINDOWS\system32eP8E:ooFo:$DATA Infected: Trojan.Win32.Runner.j skipped
C:\WINDOWS\system32eP8E:ooFo=YmY:$DATA Infected: not-a-virus:AdWare.Win32.SearchAssistant.j skipped
C:\WINDOWS\system32uaw5:ooFo=YmY:$DATA Infected: not-a-virus:AdWare.Win32.SearchAssistant.j skipped
C:\WINDOWS\system32uaw5wah6a.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.j skipped
C:\WINDOWS\system32uaw5wah6o=YmY Infected: not-a-virus:AdWare.Win32.SearchAssistant.j skipped
C:\WINDOWS\system32uaw5wooFo=YmY Infected: not-a-virus:AdWare.Win32.SearchAssistant.j skipped
C:\WINDOWS\system32vypqj.eFo Infected: Trojan.Win32.Runner.j skipped
C:\WINDOWS\system32vypqj.exe Infected: Trojan.Win32.Runner.j skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Mr_JAk3
2007-12-10, 20:31
Hi :)

Okay you still have a nice load of pests there....

We'll try how ComboFix works in safe mode then.

Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".


Now try running ComboFix. If the scan takes long again, abort and let me know. If it works, reboot to normal mode and post the log to here :bigthumb:

ZeldaManiac44
2007-12-10, 23:05
First of all thank you for taking out the time to help me. :)

We seem to think alike, I'd already ran ComboFix in Safe Mode before I'd read this reply. It was inturrupted by Norton AV warning that ComboFix was a malicious script, I selected "Authorize" the script from the drop-down and then ComboFix ran well, stating it completed steps 1, 2, 3, etc. Then it rebooted the machine. I selected Safe Mode with Networking from the Boot Menu (F8) And ComboFix launched at Startup (after login). I'm currently accessing the forums in this same mode.

Okay, then I had troubled finding the logfile. ComboFix created a catchme zip folder on the Desktop, but no logfile. I navigated to C:\ComboFix\ and found a ComboFix.txt file, but it seems to be incomplete?


ComboFix 07-12-09.1 - Maree 2007-12-10 14:27:11.2 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\All Users\Start Menu\Programs\Anti-Spyware\ComboFix.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\evekvja.dll

Mr_JAk3
2007-12-11, 21:38
Hi :) Ok you could check that there is no ComboFix log (ComboFix.txt or ComboFix2.txt similar) in directly on C:\ or C:\Documents and Settings\All Users\Start Menu\Programs\Anti-Spyware

Post a fresh HijacKThis log too :bigthumb: