PDA

View Full Version : Coolwwwsearch.searchklick and Windows security center



willbill48
2006-06-08, 21:17
Spybot S&D consistently picks up coolwwwsearch.searchklick and cannot remove it. i have run it in safe mode and it still comes up.

in addition, my computer clock has changed (it now says 14:15 pm), there is a program called Weather which i did not install, a program called Windows Security Center which constantly says i am infected which i think is a virus itself.

here's my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:16:38 PM, on 6/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\sys02542496502-1.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\defender19a.exe
C:\WINDOWS\CheckS02.exe
C:\WINDOWS\sys11-1542496502.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\win32102-154249650.exe
C:\WINDOWS\ms0696502-15424.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINDOWS\System32\043fa694.exe
C:\WINDOWS\System32\0mcamcap.exe
C:\WINDOWS\System32\dxvwewfi.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\System32\services.exe
C:\Program Files\Weather\Weather.exe
C:\WINDOWS\system32\swinsqag.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Finale 2005\AIOLib.exe
C:\WINDOWS\System32\dxvwybft.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\dxvwvldf.exe
C:\WINDOWS\System32\dxvwzsym.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rover-host.com/infected.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20026\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ftmgchr.exe
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmeuex.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [sys02542496502-1] C:\WINDOWS\sys02542496502-1.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [win320902-15424965] C:\WINDOWS\win320902-15424965.exe
O4 - HKLM\..\Run: [sys11-1542496502] C:\WINDOWS\sys11-1542496502.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [win32102-154249650] C:\WINDOWS\win32102-154249650.exe
O4 - HKLM\..\Run: [ms0696502-15424] C:\WINDOWS\ms0696502-15424.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [043fa694.exe] C:\WINDOWS\System32\043fa694.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwzsym.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000118.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [043fa694.exe] C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\dsysiz.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10157fe963502a6aab22/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\ksdusl.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dxvwewfi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

Rawe
2006-06-10, 11:56
Holy cow what an collection :blink:

We'll need to do this step by step.

1) Please download win32delfkil.exe by Marckie (http://users.telenet.be/marcvn/tools/win32delfkil.exe):
Save it on your desktop.
Double-click on win32delfkil.exe and install it.
A new folder should be created to your desktop named win32delfkil.
Close ALL open windows, open the win32delfkil folder and double-click on fix.bat.
The computer will reboot automatically.
Post the contents of the c:\windelf.txt log in your next reply.

==

2) Please download Look2Me-Destroyer (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log aswell as the contents of c:\windelf.txt log. :)
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

willbill48
2006-06-12, 17:51
heres the windelf:

************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------
g219545.dll

File(s) found in system32 folder
--------------------------------
cfgmngr32.dll

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{B29BE267-3A64-4F7E-8A57-75FB5E900503}"="Windows Updater"


sharedtaskkey: B29BE267-3A64-4F7E-8A57-75FB5E900503
---------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B29BE267-3A64-4F7E-8A57-75FB5E900503}]
@="C:\\WINDOWS\\system32\\cfgmngr32.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B29BE267-3A64-4F7E-8A57-75FB5E900503}\InprocServer32]
@="C:\\WINDOWS\\system32\\cfgmngr32.dll"
"ThreadingModel"="Apartment"



Notify key
----------
subkey cfgmngr32 is present!



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------
g219545.dll

File(s) found in system32 folder
--------------------------------
cfgmngr32.dll
Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{B29BE267-3A64-4F7E-8A57-75FB5E900503}"="Windows Updater"


sharedtaskkey: B29BE267-3A64-4F7E-8A57-75FB5E900503
---------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B29BE267-3A64-4F7E-8A57-75FB5E900503}]
@="C:\\WINDOWS\\system32\\cfgmngr32.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B29BE267-3A64-4F7E-8A57-75FB5E900503}\InprocServer32]
@="C:\\WINDOWS\\system32\\cfgmngr32.dll"
"ThreadingModel"="Apartment"



Notify key
----------
subkey cfgmngr32 is present!

and the look2me:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/12/2006 10:32:02 AM

Infected! C:\WINDOWS\system32\ksdusl.dll

Attempting to delete infected files...

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C6E702DC-75DC-4371-801F-4CC7D4D49759}"
HKCR\Clsid\{C6E702DC-75DC-4371-801F-4CC7D4D49759}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1321F937-F548-456C-84FF-9590C406C9CC}"
HKCR\Clsid\{1321F937-F548-456C-84FF-9590C406C9CC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{78821E96-D2EF-4F44-A431-A4A17582B704}"
HKCR\Clsid\{78821E96-D2EF-4F44-A431-A4A17582B704}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

finally here's the newest hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:54 AM, on 6/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\043fa694.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Weather\Weather.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.uk/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ftmgchr.exe
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmeuex.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [win320902-15424965] C:\WINDOWS\win320902-15424965.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [043fa694.exe] C:\WINDOWS\System32\043fa694.exe
O4 - HKLM\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000118.exe
O4 - HKCU\..\Run: [043fa694.exe] C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
O4 - HKCU\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinsqez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dsysiz.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10157fe963502a6aab22/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

before doing all of this read through the smithfraud fix sticky you guys have up on here and did that, and that also seemed to help out my computer a bit.

anyway thank you

Rawe
2006-06-12, 17:57
Looks like windelfkil didn't do the job.

Lets run it again after cleaning everything else up.

Go ahead and delete Look2Me-Destroyer :)

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/ (http://www.ewido.net/en/download/)

Please read Ewido Setup Instructions (http://rstones12.geekstogo.com/ewidosetup.htm)
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right-click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk ( C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

4. RIGHT-CLICK HERE (http://www.mvps.org/winhelp2002/DelDomains.inf) and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

5. Once in Safe Mode, Run Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido anti-malware.

==

6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by double-clicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the Complete script execution box to pop up and hit OK.
Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :bigthumb:

willbill48
2006-06-12, 20:13
heres the Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:08:30 PM, 6/12/2006
+ Report-Checksum: FF2DA0D5

+ Scan result:

HKU\S-1-5-21-2052111302-813497703-1060284298-1003\Software\DNS -> Adware.Shorty : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\svchostsys\svchostrun.exe -> Downloader.Agent.a : Cleaned with backup
C:\Program Files\DNS\Catcher.dll -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\DNS\Catcher.tmp -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\DNS\cwebpage.dll -> Adware.Maxifiles : Cleaned with backup


::Report End

And here is the newest hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 1:15:02 PM, on 6/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\043fa694.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\Program Files\Weather\Weather.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.uk/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ftmgchr.exe
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmeuex.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [win320902-15424965] C:\WINDOWS\win320902-15424965.exe
O4 - HKLM\..\Run: [043fa694.exe] C:\WINDOWS\System32\043fa694.exe
O4 - HKLM\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [043fa694.exe] C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
O4 - HKCU\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10157fe963502a6aab22/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

Rawe
2006-06-12, 20:53
Looking better.. :) Go ahead and remove Ewido for now.

You do need an Anti-virus software.

==

Please get the free version of AVG (http://www.grisoft.com/us/us_dwnl_free.php).

Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot.

==

Next:

RIGHT-CLICK HERE (http://downloads.subratam.org/Lon/qooFix.bat) and choose "Save As" (in IE it's "Save Target As") in order to download QooFix.bat by LonnyRJones.
Save it in the same folder you made earlier (c:\BFU).

Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat.
Choose option 1# (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
Then please post back with a fresh HijackThis log and we'll clear the rest. :bigthumb:

willbill48
2006-06-12, 22:01
alright here's my newest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:02:24 PM, on 6/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\043fa694.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\Program Files\Weather\Weather.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmeuex.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [win320902-15424965] C:\WINDOWS\win320902-15424965.exe
O4 - HKLM\..\Run: [043fa694.exe] C:\WINDOWS\System32\043fa694.exe
O4 - HKLM\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [043fa694.exe] C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
O4 - HKCU\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10157fe963502a6aab22/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

Rawe
2006-06-12, 22:08
That looks better all the time.. :)

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Download WinPFind (http://www.bleepingcomputer.com/files/winpfind.php):
Right-click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Dont do anything with it yet.


==

Please download MWav (http://www.spywareinfo.dk/download/mwav.exe):

Unzip it to its predetermined directory (C:\Kaspersky)
Locate kavupd.exe in the new folder and double-click to Update.
If your firewall gives any messages about this program accessing to internet, allow it.
If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
When you see Updates Downloaded Successfully, hit Enter to continue.

Don't do anything else with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

Run MWav again:
Locate the Kaspersky folder.
Locate mwavscan.com and double-click on it to launch the MWAV Scanner.Now lets do the settings:
Leave the Default Settings checked.
Add a check to Drives
This will light up All Drives
Add a check to Scan all Files
Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
Please be sure it has finished before proceeding.
Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).Close MWav.

==

Double-click WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete:
Go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next post.


==

Reboot into normal Windows and post the MWav results here along with a fresh HijackThis log aswell as the WinPFind.txt log. :bigthumb:

willbill48
2006-06-13, 00:31
ok here are the mwav results:

File C:\WINDOWS\chadch.exe tagged as not-a-virus:AdWare.Win32.SideFind.a. No Action Taken.
File C:\WINDOWS\DHU.exe infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\WINDOWS\justin2a.exe tagged as not-a-virus:AdWare.Win32.SideFind.a. No Action Taken.
File C:\WINDOWS\pf78.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sys011542496502-2006.exe tagged as not-a-virus:AdWare.Win32.WebHancer.351. No Action Taken.
File C:\WINDOWS\Taga96.exe infected by "Trojan.Win32.VB.tg" Virus. Action Taken: File Deleted.
File C:\WINDOWS\YOINSI.exe infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\install_id6.exe tagged as not-a-virus:AdWare.Win32.Adstart.i. No Action Taken.
File C:\WINDOWS\System32\nskC4.dll tagged as not-a-virus:AdWare.Win32.HotSearchBar.i. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP0\A0000002.exe infected by "Trojan-Spy.Win32.Delf.ig" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP0\A0000003.exe infected by "Email-Worm.Win32.Delf.i" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP0\A0000005.exe infected by "Trojan-Proxy.Win32.Agent.jw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000008.exe tagged as not-a-virus:RiskTool.Win32.PsKill.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000009.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000010.dll infected by "Trojan-Proxy.Win32.Agent.ji" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000011.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000014.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000017.exe infected by "Trojan-Proxy.Win32.Small.bt" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000018.exe infected by "Trojan-Downloader.Win32.Agent.hy" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000020.exe infected by "Trojan-Downloader.Win32.Small.ciw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000022.exe infected by "Trojan.Win32.Spabot.x" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000027.exe infected by "Trojan-Downloader.Win32.CWS.s" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000028.exe infected by "Trojan-Downloader.Win32.Small.ctk" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000030.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000036.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000057.dll tagged as not-a-virus:AdWare.Win32.EZula.bn. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000058.exe infected by "Email-Worm.Win32.Delf.i" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000060.exe infected by "Trojan-Spy.Win32.Delf.ig" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000062.exe infected by "Trojan-Downloader.Win32.CWS.s" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000063.exe infected by "Trojan-Downloader.Win32.CWS.s" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000064.exe infected by "Trojan.Win32.Spabot.x" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001242.dll tagged as not-a-virus:AdWare.Win32.Ihbo.e. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001243.dll infected by "Trojan-Proxy.Win32.Lager.aq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001246.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001247.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001249.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001257.dll tagged as not-a-virus:AdWare.Win32.EZula.bn. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001258.dll infected by "Trojan-Proxy.Win32.Lager.aq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001267.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001268.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001270.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001283.dll infected by "Trojan-Proxy.Win32.Lager.aq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001286.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001287.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001289.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001296.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001299.dll tagged as not-a-virus:AdWare.Win32.EZula.bn. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001304.dll infected by "Trojan-Proxy.Win32.Lager.aq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001311.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001313.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001314.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0002308.exe tagged as not-a-virus:AdWare.Win32.NewDotNet. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0002313.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0002314.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0002316.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003312.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003315.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003316.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003332.exe tagged as not-a-virus:AdWare.Win32.ZenoSearch.o. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003334.DLL tagged as not-a-virus:AdWare.Win32.NewDotNet. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003347.dll infected by "Trojan-Proxy.Win32.Lager.aq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003350.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003355.exe infected by "Trojan-Clicker.Win32.VB.nh" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003358.exe tagged as not-a-virus:AdWare.Win32.WebHancer.351. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003359.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003362.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003363.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003365.exe tagged as not-a-virus:AdWare.Win32.Agent.z. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003366.exe tagged as not-a-virus:AdWare.Win32.NewDotNet. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003367.exe tagged as not-a-virus:AdWare.Win32.Mirar.d. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003368.ocx tagged as not-a-virus:AdWare.Win32.MediaMotor.m. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003369.exe infected by "Trojan.Win32.VB.tg" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003370.exe infected by "Trojan.Win32.VB.tg" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003374.exe infected by "Trojan-Downloader.Win32.Small.buy" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003376.exe tagged as not-a-virus:AdWare.Win32.NewDotNet. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003377.exe infected by "Trojan-Proxy.Win32.Agent.jw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003378.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003382.dll tagged as not-a-virus:AdWare.Win32.Adstart.i. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003383.exe tagged as not-a-virus:AdWare.Win32.ZenoSearch.d. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003384.exe tagged as not-a-virus:AdWare.Win32.ZenoSearch.d. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003415.dll tagged as not-a-virus:AdWare.Win32.Adstart.i. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003417.dll tagged as not-a-virus:AdWare.Win32.SideFind.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003419.exe infected by "Trojan-Dropper.Win32.Agent.hl" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003420.dll infected by "Trojan-Downloader.Win32.Agent.afl" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003421.exe tagged as not-a-virus:AdWare.Win32.ZenoSearch.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003423.exe infected by "Trojan-Downloader.Win32.Small.aav" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003424.dll tagged as not-a-virus:AdWare.Win32.Mirar.b. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003426.exe infected by "Trojan.Win32.VB.tg" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003429.exe tagged as not-a-virus:AdWare.Win32.ZenoSearch.o. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP2\A0003466.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP2\A0003467.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP2\A0003478.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP2\A0003479.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP2\A0003484.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP3\A0003499.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP3\A0003500.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP3\A0003507.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP3\A0003519.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP3\A0003520.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003527.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003552.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003553.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003565.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003566.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003570.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003590.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003592.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003624.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003626.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003644.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003646.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003650.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP5\A0003697.exe infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP5\A0003698.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP5\A0003699.exe infected by "Trojan.Win32.VB.tg" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP5\A0003700.exe infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\WINDOWS\chadch.exe tagged as not-a-virus:AdWare.Win32.SideFind.a. No Action Taken.
File C:\WINDOWS\justin2a.exe tagged as not-a-virus:AdWare.Win32.SideFind.a. No Action Taken.
File C:\WINDOWS\sys011542496502-2006.exe tagged as not-a-virus:AdWare.Win32.WebHancer.351. No Action Taken.
File C:\WINDOWS\system32\install_id6.exe tagged as not-a-virus:AdWare.Win32.Adstart.i. No Action Taken.
File C:\WINDOWS\system32\nskC4.dll tagged as not-a-virus:AdWare.Win32.HotSearchBar.i. No Action Taken.

willbill48
2006-06-13, 00:33
and here's the winPFind.txt:

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 5/8/2006 7:27:30 PM H 2595209 C:\PANDA.RPT
PEC2 3/2/2006 1:36:00 PM 107000114 C:\republic6.wav

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 6/6/2006 11:17:00 PM 53280 C:\WINDOWS\g219545.dll

Checking %System% folder...
UPX! 6/6/2006 8:03:38 AM 60416 C:\WINDOWS\SYSTEM32\adrotate.dll
PEC2 9/3/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 6/9/2005 1:32:28 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 6/9/2005 1:32:28 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 6/4/2006 1:48:06 AM 11264 C:\WINDOWS\SYSTEM32\hSox.exe
PECompact2 10/2/2005 8:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/2/2005 8:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 9/3/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 9/3/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 6/12/2006 2:17:22 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/12/2006 2:17:22 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/12/2006 2:17:22 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/12/2006 2:17:22 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/12/2006 3:44:48 PM S 2048 C:\WINDOWS\bootstat.dat
6/8/2006 3:45:38 PM H 54156 C:\WINDOWS\QTFont.qfn
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
6/6/2006 10:59:36 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
6/6/2006 11:00:22 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
6/6/2006 10:59:36 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
6/6/2006 11:07:46 PM H 319488 C:\WINDOWS\repair\ntuser.dat
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
6/6/2006 10:59:36 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
6/6/2006 10:59:36 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
6/12/2006 10:35:04 AM S 451856 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\NT5INF.CAT
5/3/2006 8:11:26 PM S 7738 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem10.CAT
5/3/2006 8:11:26 PM S 7738 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\oem10.CAT
6/12/2006 3:44:40 PM H 8192 C:\WINDOWS\system32\config\default.LOG
6/12/2006 3:44:58 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
6/12/2006 3:44:50 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
6/12/2006 3:47:58 PM H 196608 C:\WINDOWS\system32\config\software.LOG
6/12/2006 3:44:50 PM H 782336 C:\WINDOWS\system32\config\system.LOG
6/6/2006 3:35:20 PM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
6/6/2006 3:35:24 PM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
6/6/2006 11:07:48 PM H 1024 C:\WINDOWS\system32\config\userdifr.LOG
6/6/2006 11:20:26 PM RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
6/12/2006 3:44:06 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 9/3/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/6/2006 11:01:16 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
6/6/2006 10:42:04 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
5/18/2006 10:15:04 PM 1382 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
6/20/2004 11:45:54 PM HS 84 C:\Documents and Settings\Willie\Start Menu\Programs\Startup\desktop.ini
5/18/2006 9:03:52 AM 729 C:\Documents and Settings\Willie\Start Menu\Programs\Startup\Weather.lnk

Checking files in %USERPROFILE%\Application Data folder...
6/20/2004 4:24:34 PM HS 62 C:\Documents and Settings\Willie\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70F6A776-579A-4C95-BA88-134253907752}
RieMon Class = C:\WINDOWS\System32\irsmeuex.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D117A61F-92C3-4450-A0C8-F425B14D4127}
Banner Rotator = C:\WINDOWS\System32\adrotate.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

willbill48
2006-06-13, 00:34
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
043fa694.exe C:\WINDOWS\System32\043fa694.exe
Windows hSox Server C:\WINDOWS\System32\hSox.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
irssyncd C:\WINDOWS\System32\irssyncd.exe
043fa694.exe C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
Windows hSox Server C:\WINDOWS\System32\hSox.exe
TClock.exe C:\Program Files\TClock\tclock_install.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
WinUpdate.exe C:\Program Files\Windows\WinUpdate.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cfgmngr32
= C:\WINDOWS\system32\cfgmngr32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/12/2006 5:19:37 PM

and here is the newest hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 5:31:42 PM, on 6/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\043fa694.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Weather\Weather.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmeuex.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [043fa694.exe] C:\WINDOWS\System32\043fa694.exe
O4 - HKLM\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [043fa694.exe] C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
O4 - HKCU\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10157fe963502a6aab22/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

Rawe
2006-06-13, 11:03
First, please uninstall Viewpoint through Add/Remove programs.

Then we'll delete the rest with the following :)

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract Avenger.exe to your desktop.

2. Copy all the text in bold contained in the quotebox below to a blank notepad file:


Files to delete:
C:\WINDOWS\sys011542496502-2006.exe
C:\WINDOWS\chadch.exe
C:\WINDOWS\justin2a.exe
C:\WINDOWS\system32\install_id6.exe
C:\WINDOWS\system32\nskC4.dll
C:\WINDOWS\g219545.dll
C:\WINDOWS\SYSTEM32\adrotate.dll
C:\WINDOWS\SYSTEM32\hSox.exe
C:\WINDOWS\System32\043fa694.exe
C:\WINDOWS\System32\irssyncd.exe
C:\Program Files\Windows\WinUpdate.exe
C:\WINDOWS\system32\cfgmngr32.dll
C:\WINDOWS\System32\irsmeuex.dll

Folders to delete:
C:\Program Files\Viewpoint\Viewpoint Manager

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to the notepad file into this window
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it briefly opens a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log. :)

willbill48
2006-06-13, 17:28
alright heres the avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nyugcnwe

*******************

Script file located at: \??\C:\Documents and Settings\hiapjwpx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\sys011542496502-2006.exe deleted successfully.
File C:\WINDOWS\chadch.exe deleted successfully.
File C:\WINDOWS\justin2a.exe deleted successfully.
File C:\WINDOWS\system32\install_id6.exe deleted successfully.
File C:\WINDOWS\system32\nskC4.dll deleted successfully.
File C:\WINDOWS\g219545.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\adrotate.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\hSox.exe deleted successfully.
File C:\WINDOWS\System32\043fa694.exe deleted successfully.
File C:\WINDOWS\System32\irssyncd.exe deleted successfully.


File C:\Program Files\Windows\WinUpdate.exe not found!
Deletion of file C:\Program Files\Windows\WinUpdate.exe failed!

Could not process line:
C:\Program Files\Windows\WinUpdate.exe
Status: 0xc0000034

File C:\WINDOWS\system32\cfgmngr32.dll deleted successfully.
File C:\WINDOWS\System32\irsmeuex.dll deleted successfully.


Folder C:\Program Files\Viewpoint\Viewpoint Manager not found!
Deletion of folder C:\Program Files\Viewpoint\Viewpoint Manager failed!

Could not process line:
C:\Program Files\Viewpoint\Viewpoint Manager
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

and here is the hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:29:40 AM, on 6/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
C:\Program Files\Weather\Weather.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmeuex.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [043fa694.exe] C:\WINDOWS\System32\043fa694.exe
O4 - HKLM\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [043fa694.exe] C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
O4 - HKCU\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10157fe963502a6aab22/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

Rawe
2006-06-13, 17:49
Ok then.. That looks better :)

Please run a scan with HijackThis and check the following objects for removal:

R3 - Default URLSearchHook is missing
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmeuex.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll (file missing)
O4 - HKLM\..\Run: [043fa694.exe] C:\WINDOWS\System32\043fa694.exe
O4 - HKLM\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [043fa694.exe] C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
O4 - HKCU\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10157fe9...p/RdxIE601.cab
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll (file missing)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Please reboot.

==

Then you'll need to update Java.. This is important.
Updating Java and Clearing Cache
Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
It should have next icon next to it: http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:

http://www.java.com/en/download/manual.jsp (http://www.java.com/en/download/manual.jsp)

After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked

Downloaded Applets
Downloaded Applications
Other Files

Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.



==

Please post another HijackThis log.. And hows the system running now? :bigthumb:

willbill48
2006-06-13, 18:16
im really sorry but i think i screwed up the step for fixing the java. i might have misread and i just went into the control panel, went to the add/remove programs and uninstalled java runtime from there. then i went to the next step to look for the java icon in the control panel and nothing was there.

should i reinstall java and then do those steps?

anyway here's the newest hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 11:14:12 AM, on 6/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\Program Files\Weather\Weather.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS



also my system is running alot better. there is no longer a window that pops up every couple of minutes that says "do you want to install and run macromedia flash player 8". two internet explorer windows would always pop up at my startup saying the pages could not be displayed. now there is one, with the default page i wanted it to go to coming up. unfortunately i dont want any page to come up at startup but i dont know how to fix it. also, i still have a program called weather running at the bottom right next to my clock which i dont know how to get rid of, and my clock is still taken over by a program called TClock or something, but it runs off of military time and looks different.

but thank you so much for your help so far i really appreciate it.

Rawe
2006-06-13, 18:35
Not much left then.. Sure, download the latest Java from the link in my last post. :) It'll reinstall it completely.. along with the update.

Uninstall these from Add/Remove programs if present:

TClock
Weather

Then delete these folders if present:

C:\Program Files\TClock
C:\Program Files\Weather

Empty recycle bin.

Now, please fix the following objects in HijackThis if present:

O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe

Finally, post back with a fresh HijackThis log. :)

willbill48
2006-06-13, 18:49
alright thanks tclock and weather are gone.

heres the newest hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:49 AM, on 6/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.uk/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS


is there anyway to stop the internet explorer from popping up right away at my startup?

also i noticed that my windows media player does not work anymore but i might be able to fix that from downloading a new one. anytime i click the shortcut it says internal application error has occured.

anyway thanks for all your help so far.

Rawe
2006-06-13, 19:07
Fix this in HijackThis:

O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE

Does IE still popup? :)

And yes, reinstall Media Player.

Hows the system running now?

willbill48
2006-06-13, 19:35
alright that fixed the startup internet explorer and the system seems to be running fine.

thank you so much for all your help.
i appreciate it alot.
:)

willbill48
2006-06-13, 20:03
oh i just ran a spybot s&d check and it still found coolwwwsearch.searchklick. i pressed fix selected problems but it could not fix that one.

Rawe
2006-06-13, 20:43
Ok then.. Post the SpyBot log :)

willbill48
2006-06-13, 22:14
heres the spybot checks:


--- Report generated: 2006-06-13 15:08 ---

CoolWWWSearch.SearchKlick: Data (File, nothing done)
C:\WINDOWS\jiehw.txt

CoolWWWSearch.SearchKlick: Data (File, nothing done)
C:\WINDOWS\uxsur.txt

CoolWWWSearch.SearchKlick: Data (File, nothing done)
C:\WINDOWS\xkecn.txt

Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-05-13 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-05-12 Includes\Cookies.sbi (*)
2006-05-12 Includes\Dialer.sbi (*)
2006-05-12 Includes\Hijackers.sbi (*)
2006-05-12 Includes\Keyloggers.sbi (*)
2006-05-12 Includes\Malware.sbi (*)
2006-05-12 Includes\PUPS.sbi (*)
2006-05-12 Includes\Revision.sbi (*)
2006-05-12 Includes\Security.sbi (*)
2006-05-12 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-05-12 Includes\Trojans.sbi (*)

and the fixes:

--- Report generated: 2006-06-13 15:09 ---

CoolWWWSearch.SearchKlick: Data (File, fixing failed)
C:\WINDOWS\jiehw.txt

CoolWWWSearch.SearchKlick: Data (File, fixing failed)
C:\WINDOWS\uxsur.txt

CoolWWWSearch.SearchKlick: Data (File, fixing failed)
C:\WINDOWS\xkecn.txt

Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-05-13 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-05-12 Includes\Cookies.sbi (*)
2006-05-12 Includes\Dialer.sbi (*)
2006-05-12 Includes\Hijackers.sbi (*)
2006-05-12 Includes\Keyloggers.sbi (*)
2006-05-12 Includes\Malware.sbi (*)
2006-05-12 Includes\PUPS.sbi (*)
2006-05-12 Includes\Revision.sbi (*)
2006-05-12 Includes\Security.sbi (*)
2006-05-12 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-05-12 Includes\Trojans.sbi (*)

Rawe
2006-06-13, 22:39
Well, this should be easy.

If you find these .txt files, delete them:

C:\WINDOWS\jiehw.txt
C:\WINDOWS\uxsur.txt
C:\WINDOWS\xkecn.txt

Empty recycle bin. Hows it now? :)

willbill48
2006-06-13, 23:13
alright that fixed it although i had to go into safe mode for the computer to allow me to delete it.

thanks for everything again!

Rawe
2006-06-13, 23:27
You're more than welcome.. :)

First priority: Install Service Pack 2 by visiting Microsoft Update (http://update.microsoft.com/microsoftupdate/v6/default.aspx). After you have installed it, reboot, download & install ALL the available critical updates. Then some more preventive maintenance:

Please read here how to clear old restore points and create a new one (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx).

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG (http://www.grisoft.com/) or Anti-Vir (http://www.free-av.com/), or a shareware version like Norton or Kaspersky, this is a must have.
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definatley a must have. Two good free versions are Kerio Personal Firewall (http://www.kerio.com/us/kpf_download.html) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp).
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).And also see TonyKlein's good advice;
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html) (My favourite)