Hi, so i downloaded an exe today and it installed a bunch of virus's or spyware on my computer and i know they are there cause i have them because i have a bunch of exe's that i didnt download in my tasks manager and some virus alert at the bottom of my screen that triggers pop ups. Any help on removing these virus's or what every is apreachiated. Heres my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:15:38 PM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDLL32.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\daeL\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {2C0DE132-0E80-7208-F499-01D58B06B0EE} - C:\WINDOWS\system32\czeam.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Naos] "C:\PROGRA~1\COMMON~1\SSTEM3~1\dvdplay.exe" -vt yazr
O4 - HKCU\..\Run: [Cpynmo] C:\Program Files\?ymbols\r?gedit.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\ping.dll
O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - C:\WINDOWS\system32\pmnqguh.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

If i need to do anything else please post what. Thanks :)

Hello and welcome to the forum, If you are not receiving help elsewhere and still need help, let's give this a try

1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

2) Go to Start > Control > Add or Remove Programs
In the list of Currently Installed Programs, look for any entry with OuterInfo or OIN, such as:
PurityScan By OIN
If found, select and click: Remove
While you are there, uninstall any other programs you know do not belong there, if you are unsure, let me know and I will look.
If no entries with OuterInfo or OIN are listed, download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: (no name) - {2C0DE132-0E80-7208-F499-01D58B06B0EE} - C:\WINDOWS\system32\czeam.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [Naos] "C:\PROGRA~1\COMMON~1\SSTEM3~1\dvdplay.exe" -vt yazr
O4 - HKCU\..\Run: [Cpynmo] C:\Program Files\?ymbols\r?gedit.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O20 - AppInit_DLLs: C:\WINDOWS\system32\ping.dll
O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - C:\WINDOWS\system32\pmnqguh.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

(these are PurityScan adware and may be gone if the uninstaller did the job, just don't miss them if they are there)

C:\PROGRAM FILES~1\COMMON~1\SSTEM3~1\ <<< delete the folder

C:\Program Files\?ymbols\ <<< delete the folder

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log along with any comments you think will help. Let me know how the computer is running now.

Thanks...pskelley
Safer Networking Forums

Logfile of HijackThis v1.99.1
Scan saved at 1:59:03 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\daeL\Desktop\HJT\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Thanks for the help. When i tried downloading that uninstaller it wouldnt let me saying it couldnt read the file. Also my virus detector(NOD32 i donno if its any good) is saying Threat Detected:
File: http://www.content-loader.com/getexe/?wmid=bgates
Threat: Win32/Dialer.PZ trojan
And another
File: C:\WINDOWS\TEMP\win53.tmp
Threat: Win32/Dialer.PZ trojan
And another....
File: C:\Documents and Settings\daeL\Local Settings\Temporary Internet Files\...\bgates[2].exe

Those keep poping up so if you know how to remove them it would be appreacreated. Thanks for help given thus far :D

This item has show up that was not in the first log? Did you just install it? I read it as this: Application Layer Gateway Service L alg.exe Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall located in C:\Windows\System32\
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)

I would appreciate it if you would keep this computer offline as much as possible until we have you clean.
These infections do not come out as easy as they got in, thanks.

I don't see anything else in the HJT log, let's run this PurityScan uninstaller from here to be sure:
http://sarc.com/avcenter/venc/data/adware.purityscan.html

Did you run the ATF-Cleaner? That should have cleaned the tif and the Windows temp folder?
Do you pay for this AV? That finds stuff and won't remove it?


Follow the instructions to download and run this program, make sure you save the scan, I need to see it.
ewido scan: First download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.


Run this free online scan allow ActiveX if it requests it, the program is safe. Have it remove anything it locates and post the scan results for me.
http://housecall.trendmicro.com/

Thanks

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:40:21 PM 7/16/2006

+ Scan result:



D:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gebba.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xxyxwuv.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\daeL\Local Settings\Temporary Internet Files\Content.IE5\61STSLCR\SysProtectScannerInstall[1].cab/USYP_0001_N85M2606NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\components\flx5.dll -> Not-A-Virus.Hoax.Win32.Renos.dw : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.153:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.154:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.170:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.232:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.288:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.289:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.94:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
:mozilla.235:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@cz6.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.96:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
:mozilla.83:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.296:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.297:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.181:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
:mozilla.182:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
:mozilla.271:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.272:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.273:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.274:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.275:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.276:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.277:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.278:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.183:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.184:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.186:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.187:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@www.sidefind[2].txt -> TrackingCookie.Sidefind : Cleaned with backup (quarantined).
:mozilla.256:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup (quarantined).
:mozilla.257:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup (quarantined).
:mozilla.198:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.204:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.205:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.206:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.212:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@install.xxxtoolbar[1].txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup (quarantined).
D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@www.xxxtoolbar[1].txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup (quarantined).
D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.233:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.234:C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\!KillBox\win49.tmp -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\daeL\Local Settings\Temporary Internet Files\Content.IE5\61STSLCR\srvmsu[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\daeL\Local Settings\Temporary Internet Files\Content.IE5\U9WR6NSH\srvovf[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\__delete_on_reboot__w_i_n_B_0_._t_m_p_._e_x_e_ -> Trojan.Pakes : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

Looks like you may have the Vundo trojan:
C:\WINDOWS\system32\gebba.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xxyxwuv.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
ewido can clean a little of it but it takes a special tool to remove it.
I am waiting to see what the Housecall scan shows us.

Thanks

Collecting scan results...
Detected malware

Note: Complete removal of the malware listed below failed! If you require general hints and tips to solve the problem, please click here. Malware specific information is available from the relevant malware section.
TITLE_OF_MALWARE
0 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
Detected signatures
EICAR signature
0 Signatures
The detected signature is not a security risk; it is designed to test antivirus scanners. The listed files are not infected. They only contain the EICAR signature.
Take no action on signatures on the machineDelete signatures. Warning! Deleting this column will remove all associated signature files.EICAR filesThis will display all file paths of the above signatureReasonno accessnot supported
Detected grayware/spyware

Note: Complete removal of the grayware listed below failed! If you require general hints and tips to solve the problem, please click here. Grayware specific information is available from the relevant grayware section.

ADW_MEDTICKS.Q

I have no idea what that information you posted was. Did you run the HouseCall scan? What were the results. Can you please post information so I will know what is happening on that end.

That's to Atribune for this fix, the instructions must be followed carefully.

Please download VundoFix.exe to your desktop.
http://www.atribune.org/public-beta/VundoFix.exe
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Please post the contents of C:\vundofix.txt and a fresh HiJackThis log. and some feedback from you.

Thanks

House Call is giving me an error saying it cannot transfer information and Vundo came up with nothing. Here is a fresh HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:48:19 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\daeL\Desktop\HJT\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!ewido] "D:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

I was just wondering if reformating would help the situation and if i do will i have to preform it to both my C and D drives?

Hello, please use the "Post Reply" button, not the Quote button, thanks. There is plenty of information online about how to reformat, but unless you are in a hurry, we can try a few more things. If you want that information now, let me know.

Try this scan, it will not remove anything but it might show us something that is there:
http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan%2f&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest
Instructions >>> http://www.pandasoftware.com/activescan/activescan/ayuda/ayudacom/ayuda.asp?IdLang=2
Once the scan is finished, if Panda ActiveScan has detected a virus, you can also consult a more detailed report. To do this, click the See Report button while the computer is connected to the Internet.
Post that scan report.

Would you also run another scan with your AV software and post the results of that scan, let's see what NOD says is left.

Thanks

Sorry i did not notice i posted in a quote. Here is the Pandasoftware scan log

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\daeL\Application Data\Mozilla\Firefox\Profiles\uk4vlx0r.default\cookies.txt[searchportal.information.com/]
Adware:adware/securityerror Not disinfected C:\Documents and Settings\daeL\Favorites\Antivirus Test Online.url
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\daeL\Local Settings\Temporary Internet Files\Content.IE5\0HS3KZAN\srvhkp[1].exe
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\daeL\Local Settings\Temporary Internet Files\Content.IE5\U9WR6NSH\srvdru[1].exe
Adware:Adware/MediaTickets Not disinfected C:\Program Files\Cowabanga\uninstaller.exe
Adware:Adware/SuperSpider Not disinfected C:\WINDOWS\system32\wingin32.dll
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\Temp\__delete_on_reboot__w_i_n_7_4_2_._t_m_p_._e_x_e_
Spyware:Cookie/Atwola Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@atwola[1].txt
Spyware:Cookie/GoStats Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@c2.gostats[2].txt
Spyware:Cookie/Cgi-bin Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@cgi-bin[1].txt
Spyware:Cookie/GoStats Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@gostats[2].txt
Spyware:Cookie/Kount Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@kount[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@offeroptimizer[2].txt
Spyware:Cookie/MyGeek Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@partners.mygeek[1].txt
Spyware:Cookie/Rightmedia Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@rightmedia[2].txt
Spyware:Cookie/WebPower Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\archie dias@webpower[1].txt
Adware:Adware/IPInsight Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Local Settings\Temp\conscorr.inf
Adware:Adware/IPInsight Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Local Settings\Temp\conscorr.ini
Adware:Adware/LocalNRD Not disinfected D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Local Settings\Temp\THI19C4.tmp\localNrd.inf

I would like to see the NOD scan results I requested in my last instructions:

Would you also run another scan with your AV software and post the results of that scan, let's see what NOD says is left.
Thanks
I would like to run the NOD scan before you remove the stuff below, thanks.

Most of these items are cookies in Firefox, would you look in this link:
http://forums.security-central.us/showthread.php?t=1925 at the top of the ATF-Cleaner you will see Firefox, if you have important passwords set in Firefox, I would not check it, clean out the rest of those areas.

You may have to do this part in safe mode?
http://www.bleepingcomputer.com/tutorials/tutorial61.html

C:\Documents and Settings\daeL\Local Settings\Temporary Internet Files\ <<< delete the contents of that folder in red (not the folder)
C:\Program Files\Cowabanga\ <<< delete that folder
C:\WINDOWS\system32\wingin32.dll <<< delete that file
C:\WINDOWS\Temp\ <<< delete the contents of that folder in red (not the folder)
D:\NEEDED PROGRAMS\Documents and Settings\Archie Dias\Cookies\ <<< delete the contents of that folder (not the folder)

Let me know if the performance has improved, or describe what is happening.

Thanks

element123?

This topic is closed due to lack of a response to helper. :spider:

If you need it re-opened please send me a pm and provide a link to the thread.

Applies only to the original topic starter.