PDA

View Full Version : Virtumonde help


penarestel
2008-03-25, 22:46
I ran a Spybot scan and it came up with Virtumonde and told me to come here for help with removal.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:31 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\mk9900.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\yctsszvx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jared\Desktop\penarestel.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CHotKey] mk9900.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [yctsszvx] C:\WINDOWS\system32\yctsszvx.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKLM\..\Policies\Explorer\Run: [xbACphSP6l] C:\WINDOWS\hezwxmdg.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181696401410
O21 - SSODL: WinRunOnce - {0ec3af4c-767c-4f68-925f-0facabf32d38} - C:\WINDOWS\Installer\{0ec3af4c-767c-4f68-925f-0facabf32d38}\WinRunOnce.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6030 bytes

Kaspersky Online log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 25, 2008 5:43:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/03/2008
Kaspersky Anti-Virus database records: 663071
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 82924
Number of viruses found: 8
Number of infected objects: 22
Number of suspicious objects: 0
Duration of the scan process: 01:28:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\history.dat Object is locked skipped
C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\key3.db Object is locked skipped
C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jared\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\History\History.IE5\MSHist012008032520080326\index.dat Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\Temp\aupd.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Agent.yr skipped
C:\Documents and Settings\Jared\Local Settings\Temp\aupd.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BHO.pm skipped
C:\Documents and Settings\Jared\Local Settings\Temp\aupd.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.pm skipped
C:\Documents and Settings\Jared\Local Settings\Temp\aupd.exe NSIS: infected - 3 skipped
C:\Documents and Settings\Jared\Local Settings\Temp\tmp7BF.tmp.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.abm skipped
C:\Documents and Settings\Jared\Local Settings\Temp\tmp7BF.tmp.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.abm skipped
C:\Documents and Settings\Jared\Local Settings\Temp\tmp7BF.tmp.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Jared\Local Settings\Temp\tmpC9.tmp.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.aos skipped
C:\Documents and Settings\Jared\Local Settings\Temp\tmpC9.tmp.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.aos skipped
C:\Documents and Settings\Jared\Local Settings\Temp\tmpC9.tmp.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Jared\Local Settings\Temp\tmpE1E.tmp.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Documents and Settings\Jared\Local Settings\Temp\tmpE1E.tmp.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Documents and Settings\Jared\Local Settings\Temp\tmpE1E.tmp.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Jared\Local Settings\Temp\~DFAA9.tmp Object is locked skipped
C:\Documents and Settings\Jared\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jared\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jared\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BOINC\stderrdae.txt Object is locked skipped
C:\Program Files\BOINC\stderrgui.txt Object is locked skipped
C:\Program Files\BOINC\stdoutdae.txt Object is locked skipped
C:\Program Files\BOINC\stdoutgui.txt Object is locked skipped
C:\Program Files\PrepLogic\31\10669\patch_preplogic_v3.1.exe Infected: Trojan-PSW.Win32.OnLineGames.fyn skipped
C:\Program Files\PrepLogic\31\10669\patch_preplogic_v3.1_updates.exe Infected: Trojan-PSW.Win32.OnLineGames.fyn skipped
C:\Program Files\PrepLogic\31\10701\patch_preplogic_v3.1.exe Infected: Trojan-PSW.Win32.OnLineGames.fyn skipped
C:\Program Files\PrepLogic\31\10701\patch_preplogic_v3.1_updates.exe Infected: Trojan-PSW.Win32.OnLineGames.fyn skipped
C:\Program Files\Veoh Networks\Veoh\client.log Object is locked skipped
C:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\0001000D.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3EE4B93F-AA93-4CBA-BFF9-F9EEADBC622A}\RP162\A0015058.dll Infected: not-a-virus:AdWare.Win32.BHO.pm skipped
C:\System Volume Information\_restore{3EE4B93F-AA93-4CBA-BFF9-F9EEADBC622A}\RP290\A0037227.exe/data0000.cab/server.exe Infected: Trojan.Win32.Midgare.vr skipped
C:\System Volume Information\_restore{3EE4B93F-AA93-4CBA-BFF9-F9EEADBC622A}\RP290\A0037227.exe/data0000.cab Infected: Trojan.Win32.Midgare.vr skipped
C:\System Volume Information\_restore{3EE4B93F-AA93-4CBA-BFF9-F9EEADBC622A}\RP290\A0037227.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{3EE4B93F-AA93-4CBA-BFF9-F9EEADBC622A}\RP300\A0037912.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{3EE4B93F-AA93-4CBA-BFF9-F9EEADBC622A}\RP300\A0037921.dll Object is locked skipped
C:\System Volume Information\_restore{3EE4B93F-AA93-4CBA-BFF9-F9EEADBC622A}\RP301\A0038882.exe Object is locked skipped
C:\System Volume Information\_restore{3EE4B93F-AA93-4CBA-BFF9-F9EEADBC622A}\RP302\A0041887.exe Object is locked skipped
C:\System Volume Information\_restore{3EE4B93F-AA93-4CBA-BFF9-F9EEADBC622A}\RP303\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.


Thank you in advance for your help.
ken545
2008-03-26, 12:14
Hello penarestel

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.



You do have a few things going on, first I see you renamed HJT and thats fine but I need you to move it off the desktop and into its own folder , so create a folder in C:\Program Files and name it Hijackthis and Cut it from where you currently have it installed and Paste it into the new folder.


Run these programs in the order listed please, I need to see the report for each program and after you run the last program ( Combofix) then post a new HJT log.



Do this first so it won't interfere with the fix.
Download Reset Tea Timer (http://downloads.subratam.org/ResetTeaTimer.bat) to your desktop, you need to use Internet Explorer, double click it to run, just takes a sec.
REBOOT YOUR COMPUTER



Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.





Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.







Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

This is what I need,
1. Vundofix log
2. Malwarebytes log
3. Combofix log
4. New HJT log
penarestel
2008-03-27, 05:27
Did all exactly as you requested and here are the results.

VundoFix V7.0.3

Scan started at 11:37:21 PM 3/26/2008

Listing files found while scanning....

No infected files were found.

Malwarebytes' Anti-Malware 1.09
Database version: 552

Scan type: Quick Scan
Objects scanned: 30034
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c4ee31f3-4768-11d2-be5c-00a0c9a83da1} (Rogue.WinFixer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\AdvRemoteDbg (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\Installer\{0ec3af4c-767c-4f68-925f-0facabf32d38} (Trojan.Alphabet) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

ComboFix 08-03-25.4 - Jared 2008-03-27 0:18:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.442 [GMT -4:00]
Running from: C:\Documents and Settings\Jared\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat
-- Script messages for sUBs --
Findstr -MIF:/ "\\TTC\.pdb InsertAdvertisement"
GREP -Eisf temp00
VFind -tf -s282624 "C:\Program Files\????????*[0-9].dll"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jared\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 00:08 . 2008-03-27 00:08 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\Malwarebytes
2008-03-27 00:07 . 2008-03-27 00:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-27 00:07 . 2008-03-27 00:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-26 23:37 . 2008-03-26 23:37 <DIR> d-------- C:\VundoFix Backups
2008-03-25 15:38 . 2008-03-25 15:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-25 15:38 . 2008-03-25 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-25 00:23 . 2008-03-25 00:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-24 20:31 . 2008-03-24 20:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-03-24 18:23 . 2008-03-24 18:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-24 18:19 . 2008-03-24 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-23 12:48 . 2008-03-23 12:48 102,400 --a------ C:\WINDOWS\system32\yctsszvx.exe
2008-03-22 13:48 . 2008-03-22 13:48 <DIR> d-------- C:\Program Files\Paradox Interactive
2008-03-22 02:21 . 2008-03-22 02:21 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2008-03-22 01:46 . 2008-03-22 01:25 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-22 01:46 . 2008-03-22 01:46 2,541 --a------ C:\WINDOWS\unins000.dat
2008-03-21 21:59 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-03-21 20:42 . 2008-03-21 20:42 <DIR> d-------- C:\Program Files\Valve
2008-03-13 23:55 . 2008-03-13 23:55 <DIR> d-------- C:\Program Files\PrepLogic
2008-03-13 23:55 . 2008-03-13 23:55 <DIR> d-------- C:\Documents and Settings\Jared\Application Data\PrepLogic
2008-03-13 19:01 . 2008-03-13 20:19 <DIR> d-------- C:\Program Files\Strategy First
2008-02-27 17:30 . 2008-02-27 17:30 <DIR> d-------- C:\Program Files\iPod
2008-02-27 17:30 . 2008-03-26 23:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-27 17:30 . 2008-02-27 17:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-27 17:29 . 2008-02-27 17:30 <DIR> d-------- C:\Program Files\iTunes
2008-02-27 17:27 . 2008-02-27 17:28 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 03:53 --------- d-----w C:\Program Files\BOINC
2008-03-27 00:24 --------- d-----w C:\Documents and Settings\Jared\Application Data\AVG7
2008-03-25 04:23 --------- d-----w C:\Documents and Settings\Jared\Application Data\Lavasoft
2008-03-22 17:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 14:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-22 14:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-22 04:22 --------- d-----w C:\Documents and Settings\Jared\Application Data\LimeWire
2008-03-22 02:54 --------- d-----w C:\Program Files\Electronic Arts
2008-03-10 04:07 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-09 15:32 --------- d-----w C:\Program Files\Java
2008-03-04 00:21 --------- d-----w C:\Documents and Settings\Jared\Application Data\Vso
2008-02-23 23:03 --------- d-----w C:\Documents and Settings\Jared\Application Data\Audacity
2008-02-20 04:55 --------- d-----w C:\Program Files\JetAudio
2008-02-20 04:41 --------- d-----w C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-02-06 05:23 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-19 05:25 20,856 ----a-w C:\Documents and Settings\Jared\Application Data\GDIPFONTCACHEV1.DAT
2007-08-15 22:12 349 ----a-w C:\Program Files\INSTALL.LOG
2007-07-02 02:55 47,360 ----a-w C:\Documents and Settings\Jared\Application Data\pcouffin.sys
2003-12-18 15:33 20,102 ----a-w C:\Program Files\Readme.txt
2003-09-03 11:46 10,960 ----a-w C:\Program Files\EULA.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-01-30 14:11 3497984]
"Steam"="C:\Program Files\Valve\Steam\Steam.exe" [2008-03-21 22:23 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-19 16:35 579072]
"CHotKey"="mk9900.exe" [1999-04-22 18:00 520192 C:\WINDOWS\MK9900.exe]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 00:35 429568]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 17:10 57344]
"P17Helper"="P17.dll" [2005-05-02 23:38 64512 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"CTRegRun"="C:\WINDOWS\CTRegRun.EXE" [1999-10-10 05:00 41984]
"yctsszvx"="C:\WINDOWS\system32\yctsszvx.exe" [2008-03-23 12:48 102400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 16:29 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"xbACphSP6l"= C:\WINDOWS\hezwxmdg.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WinRunOnce"= {0ec3af4c-767c-4f68-925f-0facabf32d38} - C:\WINDOWS\Installer\{0ec3af4c-767c-4f68-925f-0facabf32d38}\WinRunOnce.dll [ ]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Sierra\\Homeworld2\\Bin\\Release\\Homeworld2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Strategy First\\Uplink\\uplink.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-03-29 11:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{faae3242-1915-11dc-9fc7-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 18:50:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-22 18:39:33 C:\WINDOWS\Tasks\dfrg.job"
- C:\WINDOWS\system32\dfrg.msc
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 00:20:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-27 0:21:10
ComboFix-quarantined-files.txt 2008-03-27 04:20:56

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:10 AM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\mk9900.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\yctsszvx.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\penarestel.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CHotKey] mk9900.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [yctsszvx] C:\WINDOWS\system32\yctsszvx.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKLM\..\Policies\Explorer\Run: [xbACphSP6l] C:\WINDOWS\hezwxmdg.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181696401410
O21 - SSODL: WinRunOnce - {0ec3af4c-767c-4f68-925f-0facabf32d38} - C:\WINDOWS\Installer\{0ec3af4c-767c-4f68-925f-0facabf32d38}\WinRunOnce.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6013 bytes
ken545
2008-03-27, 10:06
Good Morning,

You may still have some of the Zlob family of trojans installed, lets do this.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.


Download and install AVG Anti-Spyware Free (http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0) to your desktop.


Once you have downloaded AVG Anti-Spyware Free , locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run Ewido and update the definition files.
On the main screen select the icon Update then select the Update now link.
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this Under Reports
Select Automatically generate report after every scan
Un-Select Only if threats were found
Close AVG Anti-Spyware Free <-- Do not run the scan yet.



Boot your computer into Safemode

Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)





Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt





Launch AVG Anti-Spyware Free by double-clicking the icon on your desktop.
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
make sure to remember where you saved that file, this is important
Close AVG Anti-Spyware Free
IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process:


Reboot normally.



Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.


Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

Post the log from Smitfraud fix, the AVG Spyware log and a New HJT log please
penarestel
2008-03-28, 06:49
I'm back and bringing fresh logs with me.

Here you go.

SmitFraudFix v2.309

Scan done at 0:27:33.70, Fri 03/28/2008
Run from C:\Documents and Settings\Jared\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

I took out this list as it was the entire hosts file and would take 20 pages to post all of it.

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
penarestel
2008-03-28, 06:52
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:50 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\mk9900.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\yctsszvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Hijackthis\penarestel.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CHotKey] mk9900.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [yctsszvx] C:\WINDOWS\system32\yctsszvx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [xbACphSP6l] C:\WINDOWS\hezwxmdg.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181696401410
O21 - SSODL: WinRunOnce - {0ec3af4c-767c-4f68-925f-0facabf32d38} - C:\WINDOWS\Installer\{0ec3af4c-767c-4f68-925f-0facabf32d38}\WinRunOnce.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6177 bytes


The forums don't seem to like the length of my AVG Anti-Spyware report. Is there another way you'd like me to get this to you?
ken545
2008-03-28, 12:47
This forums capacity for posting logs is small so you can break it up and reply 2 or 3 times if you need to. I am looking over your logs but will wait for the AVG log until we proceed.

Ken
penarestel
2008-04-01, 15:26
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:17:29 AM 3/28/2008

+ Scan result:



C:\System Volume Information\_restore{3EE4B93F-AA93-4CBA-BFF9-F9EEADBC622A}\RP300\A0037912.exe -> Downloader.Small.ivo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3EE4B93F-AA93-4CBA-BFF9-F9EEADBC622A}\RP162\A0015058.dll -> Not-A-Virus.Adware.BHO : Ignored.
:mozilla.17:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.100:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.101:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.102:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.103:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.104:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.105:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.106:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.107:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.108:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.109:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.110:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.111:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.112:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.113:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.114:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.115:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.116:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.280:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.350:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.73:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.74:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.75:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.76:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.77:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.78:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.79:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.80:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.81:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.82:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.83:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.84:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.85:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.86:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.87:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.88:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.89:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.90:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.91:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.92:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.93:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.94:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.95:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.96:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.97:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.98:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.99:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.124:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.7search : Cleaned.
:mozilla.125:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.7search : Cleaned.
:mozilla.143:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.144:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.145:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.156:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.45:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adengage : Cleaned.
:mozilla.46:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adengage : Cleaned.
:mozilla.47:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adengage : Cleaned.
:mozilla.48:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adengage : Cleaned.
:mozilla.49:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adengage : Cleaned.
:mozilla.703:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adition : Cleaned.
:mozilla.704:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adition : Cleaned.
:mozilla.772:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.773:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.774:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.174:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.219:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.819:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.706:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.260:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.261:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.270:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.271:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.272:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.150:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.151:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.152:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.336:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.337:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.711:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.712:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.825:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.826:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.827:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.780:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Information : Cleaned.
:mozilla.426:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned.
:mozilla.70:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.603:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.160:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.161:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.162:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.163:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.164:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.165:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.166:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.167:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.168:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.169:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.170:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
penarestel
2008-04-01, 15:27
:mozilla.543:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.544:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.545:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.18:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.19:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.20:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.21:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.22:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.23:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.24:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.25:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.26:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.27:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.29:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.30:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.550:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.551:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.552:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.553:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.554:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.555:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.556:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.557:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.558:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.559:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.560:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.561:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.562:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.563:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.564:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.715:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.72:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Safer-networking : Cleaned.
:mozilla.233:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.578:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.579:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.580:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.581:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.582:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.583:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.616:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.617:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.618:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.619:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.716:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.717:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Jared\Cookies\jared@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.630:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.631:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.632:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.633:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.634:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.635:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.636:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.637:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.638:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.639:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.640:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.644:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.645:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.646:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.647:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.760:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.688:C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\n9p67ybn.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
C:\Program Files\PrepLogic\31\10669\patch_preplogic_v3.1.exe -> Trojan.OnLineGames.fyn : Cleaned with backup (quarantined).
C:\Program Files\PrepLogic\31\10669\patch_preplogic_v3.1_updates.exe -> Trojan.OnLineGames.fyn : Cleaned with backup (quarantined).
C:\Program Files\PrepLogic\31\10701\patch_preplogic_v3.1.exe -> Trojan.OnLineGames.fyn : Cleaned with backup (quarantined).
C:\Program Files\PrepLogic\31\10701\patch_preplogic_v3.1_updates.exe -> Trojan.OnLineGames.fyn : Cleaned with backup (quarantined).


::Report end

Sorry that took so long, my internet has been out for a few days.
ken545
2008-04-01, 18:34
Hello,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKLM\..\Run: [yctsszvx] C:\WINDOWS\system32\yctsszvx.exe
O4 - HKLM\..\Policies\Explorer\Run: [xbACphSP6l] C:\WINDOWS\hezwxmdg.exe

O21 - SSODL: WinRunOnce - {0ec3af4c-767c-4f68-925f-0facabf32d38} - C:\WINDOWS\Installer\{0ec3af4c-767c-4f68-925f-0facabf32d38}\WinRunOnce.dll (file missing)



Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer.


Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



C:\WINDOWS\system32\yctsszvx.exe
C:\WINDOWS\hezwxmdg.exe
C:\WINDOWS\Installer\{0ec3af4c-767c-4f68-925f-0facabf32d38}\WinRunOnce.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Post the OTMoveIt log and a New HJT log please
penarestel
2008-04-01, 19:21
C:\WINDOWS\system32\yctsszvx.exe moved successfully.
File/Folder C:\WINDOWS\hezwxmdg.exe not found.
File/Folder C:\WINDOWS\Installer\{0ec3af4c-767c-4f68-925f-0facabf32d38}\WinRunOnce.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 04012008_131653



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:52 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\mk9900.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\penarestel.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CHotKey] mk9900.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181696401410
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5824 bytes
ken545
2008-04-01, 19:43
Looks good :bigthumb: How are things running now ??
penarestel
2008-04-01, 20:10
So far, so good.
The fake alert box is gone from the task bar and so far no more pop ups.

Thanks a bunch.:present:
ken545
2008-04-01, 23:42
Thats great, give yourself a pat on the back for following all my instructions :bigthumb:


Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.


Lets install some free programs to help keep this garbage from installing in the future.



How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0.0.13 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Glad we could help

Safe Surfn
Ken