PDA

View Full Version : Lots of adware, MANY POPUPS, I can't get rid of



rozsa
2006-09-08, 00:08
Hi, I have gotten some adware and spyware I assume for the following popups: adfarm, command service, ad.firstadsolution, directorysupport, and targetsaver. I don't know what to do to get rid of these guys. I've tried to get rid of just Command Service using spybot S&D, but when it tries to get rid of the item, S&D says it can't get rid of the item unless I reboot and try again. But from what I have read elsewhere that sometimes ends up not helping. Still, I can't get S&D to activate upon reboot anyways. I would prefer to get help with the programs more than getting S&D to work on reboot as a priority. What's weird is I just got this comp upgraded to XP today and got these things like an hour later. Any help would be greatly appreciated!

Here is my recent HJT log. Thanks again!

rozsa

Logfile of HijackThis v1.99.1
Scan saved at 4:03:51 PM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\documents and settings\trey\desktop\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\outlook\outlook.exe
C:\kybrdff_16.exe
C:\dfndrff_16.exe
C:\WINNT\sys017570991501.exe
C:\WINNT\uwdnsqfA.exe
C:\WINNT\Duce6.exe
C:\WINNT\thiselt.exe
C:\WINNT\ms037099150175.exe
C:\Program Files\Common Files\{68BB348E-031E-1033-0329-010524000001}\Update.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\PROGRA~1\COMMON~1\iwkf\iwkfm.exe
C:\PROGRA~1\COMMON~1\iwkf\iwkfa.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Batty2\Batty2.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Trey\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\PSCloner\PSCloner.exe
C:\DOCUME~1\Trey\LOCALS~1\Temp\ac2_0006.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\update\update.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,oyfmdje.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\trey\desktop\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_16.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_16.exe
O4 - HKLM\..\Run: [sys017570991501] C:\WINNT\sys017570991501.exe
O4 - HKLM\..\Run: [uwdnsqfA] C:\WINNT\uwdnsqfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
O4 - HKLM\..\Run: [lqf1e597] RUNDLL32.EXE w026c5ad.dll,n 0041e59300000003026c5ad
O4 - HKLM\..\Run: [win32085017570991] C:\WINNT\win32085017570991.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\Run: [ms037099150175] C:\WINNT\ms037099150175.exe
O4 - HKLM\..\Run: [w0067185.dll] RUNDLL32.EXE w0067185.dll,I2 0041e59300067185
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [iwkf] C:\PROGRA~1\COMMON~1\iwkf\iwkfm.exe
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PSCloner] "C:\Program Files\PSCloner\PSCloner.exe"
O4 - Startup: TA_Start.lnk = C:\WINNT\system32\ojdsregk.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\lvjo0913e.dll
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

Rawe
2006-09-08, 18:00
Hello and welcome... :)

Nice collection there.... Lets get started.

Please get the free version of AVG (http://www.grisoft.com/us/us_dwnl_free.php).

Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot. Make sure you keep using it - Anti-virus client is very important to be run at all times.

----

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.


Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

----

Finally:

Please download Combofix (http://download.bleepingcomputer.com/sUBs/combofix.exe) to your desktop:
Double-click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply along with the contents of the C:\vundofix.txt log. :bigthumb:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

rozsa
2006-09-12, 00:57
Hi, Thanks so much for your help so far. I really do appreciate it. I did what you told me and here's the new logs (in 2 posts):


VundoFix V6.1.4

Checking Java version...

Java version is 1.5.0.8

Scan started at 9:07:11 PM 9/8/2006

Listing files found while scanning....


VundoFix V6.1.4

Checking Java version...

Java version is 1.5.0.8

Scan started at 4:57:17 AM 9/9/2006

Listing files found while scanning....

No infected files were found.





Trey - 06-09-11 16:51:10.91
ComboFix 06.09.07 - Running from: C:\Documents and Settings\Trey\Desktop

Microsoft Windows XP [Version 5.1.2600]

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\Duce6.exe


((((((((((((((((((((((((((((((( Files Created from 2006-08-11 to 2006-09-11 ))))))))))))))))))))))))))))))))))


2006-09-09 04:13 106,496 --a------ C:\WINNT\Duce6.exe
2006-09-09 01:00 168,074 --a------ C:\WINNT\system32\twinkpex.exe
2006-09-09 00:54 45,069 --a------ C:\WINNT\system32\ojdsregk.exe
2006-09-09 00:01 45,056 --a------ C:\TIGEN001.exe
2006-09-08 21:07 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2006-09-08 21:07 348,160 --a------ C:\WINNT\system32\msvcr71.dll
2006-09-07 15:57 0 ---hs---- C:\WINNT\system32\tasklist.com
2006-09-07 01:00 9,728 --------- C:\WINNT\system32\comsdupd.exe
2006-09-07 01:00 870,784 --------- C:\WINNT\system32\ati3d1ag.dll
2006-09-07 01:00 86,016 --------- C:\WINNT\system32\mdmxsdk.dll
2006-09-07 01:00 73,832 --------- C:\WINNT\system32\slcoinst.dll
2006-09-07 01:00 73,796 --------- C:\WINNT\system32\slserv.exe
2006-09-07 01:00 516,768 --------- C:\WINNT\system32\ativvaxx.dll
2006-09-07 01:00 397,056 --------- C:\WINNT\system32\s3gnb.dll
2006-09-07 01:00 377,984 --------- C:\WINNT\system32\ati2dvaa.dll
2006-09-07 01:00 32,866 --------- C:\WINNT\system32\slrundll.exe
2006-09-07 01:00 32,866 --------- C:\WINNT\slrundll.exe
2006-09-07 01:00 32,768 --------- C:\WINNT\system32\ativtmxx.dll
2006-09-07 01:00 32,285 --------- C:\WINNT\system32\hsfcisp2.dll
2006-09-07 01:00 286,792 --------- C:\WINNT\system32\slextspk.dll
2006-09-07 01:00 229,376 --------- C:\WINNT\system32\ati2cqag.dll
2006-09-07 01:00 201,728 --------- C:\WINNT\system32\ati2dvag.dll
2006-09-07 01:00 188,508 --------- C:\WINNT\system32\slgen.dll
2006-09-07 01:00 1,888,992 --------- C:\WINNT\system32\ati3duag.dll
2006-09-07 01:00 1,737,856 --------- C:\WINNT\system32\mtxparhd.dll
2006-09-07 00:33 163,840 --a------ C:\WINNT\ms037099150175.exe
2006-09-06 17:32 23 --a------ C:\WINNT\riyip.dll
2006-09-06 17:04 32,768 --a------ C:\WINNT\frrvlezq.exe
2006-09-06 16:49 215,308 --a------ C:\WINNT\Setup90.exe
2006-09-06 16:36 929 --a------ C:\WINNT\system32\winpfg32.sys
2006-09-06 16:36 1,233 --a------ C:\WINNT\system32\lqf1e597.sys
2006-09-06 16:35 186,223 --a------ C:\WINNT\srvejfrrqs.exe
2006-09-06 16:34 163,840 --a------ C:\WINNT\sys017570991501.exe
2006-09-06 15:43 8,192 --a------ C:\WINNT\system32\bitsprx2.dll
2006-09-06 15:43 7,168 --a------ C:\WINNT\system32\bitsprx3.dll
2006-09-06 15:43 67,584 --a------ C:\WINNT\system32\srclient.dll
2006-09-06 15:43 465,176 --a------ C:\WINNT\system32\wuapi.dll
2006-09-06 15:43 45,568 --a------ C:\WINNT\system32\safrslv.dll
2006-09-06 15:43 43,520 --a------ C:\WINNT\system32\safrcdlg.dll
2006-09-06 15:43 43,520 --a------ C:\WINNT\system32\racpldlg.dll
2006-09-06 15:43 41,240 --a------ C:\WINNT\system32\wups.dll
2006-09-06 15:43 32,768 --a------ C:\WINNT\system32\isrdbg32.dll
2006-09-06 15:43 29,696 --a------ C:\WINNT\system32\safrdm.dll
2006-09-06 15:43 239,104 --a------ C:\WINNT\system32\srrstr.dll
2006-09-06 15:43 22,528 --a------ C:\WINNT\system32\fltMc.exe
2006-09-06 15:43 194,328 --a------ C:\WINNT\system32\wuaueng1.dll
2006-09-06 15:43 190,976 --a------ C:\WINNT\system32\schedsvc.dll
2006-09-06 15:43 173,536 --a------ C:\WINNT\system32\wuweb.dll
2006-09-06 15:43 172,312 --a------ C:\WINNT\system32\wuauclt1.exe
2006-09-06 15:43 170,496 --a------ C:\WINNT\system32\srsvc.dll
2006-09-06 15:43 16,896 --a------ C:\WINNT\system32\fltlib.dll
2006-09-06 15:43 127,256 --a------ C:\WINNT\system32\wucltui.dll
2006-09-06 15:43 11,264 --a------ C:\WINNT\system32\atrace.dll
2006-09-06 15:38 93,696 --a------ C:\WINNT\system32\tscfgwmi.dll
2006-09-06 15:38 9,728 --a------ C:\WINNT\system32\rwnh.dll
2006-09-06 15:38 9,728 --a------ C:\WINNT\system32\reset.exe
2006-09-06 15:38 87,176 --a------ C:\WINNT\system32\rdpwsx.dll
2006-09-06 15:38 8,704 --a------ C:\WINNT\system32\fxsperf.dll
2006-09-06 15:38 8,192 --a------ C:\WINNT\system32\staxmem.dll
2006-09-06 15:38 72,192 --a------ C:\WINNT\system32\fxscom.dll
2006-09-06 15:38 7,168 --a------ C:\WINNT\system32\wamregps.dll
2006-09-06 15:38 68,608 --a------ C:\WINNT\system32\iisext.dll
2006-09-06 15:38 67,072 --a------ C:\WINNT\system32\rdshost.exe
2006-09-06 15:38 655,360 --a------ C:\WINNT\system32\mstscax.dll
2006-09-06 15:38 64,512 --a------ C:\WINNT\system32\iismap.dll
2006-09-06 15:38 62,464 --a------ C:\WINNT\system32\rdpclip.exe
2006-09-06 15:38 60,416 --a------ C:\WINNT\system32\remotepg.dll
2006-09-06 15:38 6,656 --a------ C:\WINNT\system32\fxsres.dll
2006-09-06 15:38 58,880 --a------ C:\WINNT\system32\licwmi.dll
2006-09-06 15:38 562,176 --a------ C:\WINNT\system32\fxsst.dll
2006-09-06 15:38 55,296 --a------ C:\WINNT\system32\fxsevent.dll
2006-09-06 15:38 538,624 --a------ C:\WINNT\system32\spider.exe
2006-09-06 15:38 452,096 --a------ C:\WINNT\system32\fxsapi.dll
2006-09-06 15:38 44,544 --a------ C:\WINNT\system32\tscupgrd.exe
2006-09-06 15:38 43,520 --a------ C:\WINNT\system32\admwprox.dll
2006-09-06 15:38 407,552 --a------ C:\WINNT\system32\mstsc.exe
2006-09-06 15:38 400,384 --a------ C:\WINNT\system32\fxsxp32.dll
2006-09-06 15:38 4,096 --a------ C:\WINNT\system32\rdpcfgex.dll
2006-09-06 15:38 397,312 --a------ C:\WINNT\system32\fxstiff.dll
2006-09-06 15:38 38,912 --a------ C:\WINNT\system32\cfgbkend.dll
2006-09-06 15:38 33,792 --a------ C:\WINNT\system32\regini.exe
2006-09-06 15:38 31,744 --a------ C:\WINNT\system32\fxsroute.dll
2006-09-06 15:38 3,584 --a------ C:\WINNT\system32\iismui.dll
2006-09-06 15:38 295,424 --a------ C:\WINNT\system32\termsrv.dll
2006-09-06 15:38 290,816 --a------ C:\WINNT\system32\adsiis.dll
2006-09-06 15:38 285,184 --a------ C:\WINNT\system32\fxscomex.dll
2006-09-06 15:38 27,136 --a------ C:\WINNT\system32\fxsdrv.dll
2006-09-06 15:38 267,776 --a------ C:\WINNT\system32\fxssvc.exe
2006-09-06 15:38 246,272 --a------ C:\WINNT\system32\fxst30.dll
2006-09-06 15:38 23,552 --a------ C:\WINNT\system32\fxsmon.dll
2006-09-06 15:38 23,552 --a------ C:\WINNT\system32\fxsext32.dll
2006-09-06 15:38 229,376 --a------ C:\WINNT\system32\fxscover.exe
2006-09-06 15:38 22,016 --a------ C:\WINNT\system32\qwinsta.exe
2006-09-06 15:38 20,992 --a------ C:\WINNT\system32\msg.exe
2006-09-06 15:38 20,480 --a------ C:\WINNT\system32\qprocess.exe
2006-09-06 15:38 192,512 --a------ C:\WINNT\system32\fxswzrd.dll
2006-09-06 15:38 19,968 --a------ C:\WINNT\system32\rdpsnd.dll
2006-09-06 15:38 19,968 --a------ C:\WINNT\system32\inetsloc.dll
2006-09-06 15:38 161,280 --a------ C:\WINNT\system32\msdtcuiu.dll
2006-09-06 15:38 16,896 --a------ C:\WINNT\system32\tsshutdn.exe
2006-09-06 15:38 16,896 --a------ C:\WINNT\system32\qappsrv.exe
2006-09-06 15:38 16,384 --a------ C:\WINNT\system32\tskill.exe
2006-09-06 15:38 154,112 --a------ C:\WINNT\system32\fxsui.dll
2006-09-06 15:38 15,872 --a------ C:\WINNT\system32\rwinsta.exe
2006-09-06 15:38 15,872 --a------ C:\WINNT\system32\cdmodem.dll
2006-09-06 15:38 15,360 --a------ C:\WINNT\system32\logoff.exe
2006-09-06 15:38 147,968 --a------ C:\WINNT\system32\rdchost.dll
2006-09-06 15:38 143,360 --a------ C:\WINNT\system32\fxsclnt.exe
2006-09-06 15:38 140,800 --a------ C:\WINNT\system32\sessmgr.exe
2006-09-06 15:38 14,848 --a------ C:\WINNT\system32\tsdiscon.exe
2006-09-06 15:38 14,848 --a------ C:\WINNT\system32\tscon.exe
2006-09-06 15:38 14,848 --a------ C:\WINNT\system32\shadow.exe
2006-09-06 15:38 14,336 --a------ C:\WINNT\system32\exstrace.dll
2006-09-06 15:38 133,632 --a------ C:\WINNT\system32\iisRtl.dll
2006-09-06 15:38 132,608 --a------ C:\WINNT\system32\fxsclntR.dll
2006-09-06 15:38 13,824 --a------ C:\WINNT\system32\rdsaddin.exe
2006-09-06 15:38 13,312 --a------ C:\WINNT\system32\infoadmn.dll
2006-09-06 15:38 126,976 --a------ C:\WINNT\system32\mshearts.exe
2006-09-06 15:38 111,104 --a------ C:\WINNT\system32\fxscfgwz.dll
2006-09-06 15:38 11,264 --a------ C:\WINNT\system32\icaapi.dll
2006-09-06 15:38 11,264 --a------ C:\WINNT\system32\fxssend.exe
2006-09-06 15:38 10,752 --a------ C:\WINNT\system32\smtpapi.dll
2006-09-06 15:38 1,161 --a------ C:\WINNT\system32\usrlogon.cmd
2006-09-06 15:29 8,192 -ra------ C:\WINNT\system32\kbdhept.dll
2006-09-06 15:29 7,168 -ra------ C:\WINNT\system32\kbdcz.dll
2006-09-06 15:29 6,656 -ra------ C:\WINNT\system32\kbdycl.dll
2006-09-06 15:29 6,656 -ra------ C:\WINNT\system32\kbdsl1.dll
2006-09-06 15:29 6,656 -ra------ C:\WINNT\system32\kbdsl.dll
2006-09-06 15:29 6,656 -ra------ C:\WINNT\system32\kbdpl.dll
2006-09-06 15:29 6,656 -ra------ C:\WINNT\system32\kbdhu.dll
2006-09-06 15:29 6,656 -ra------ C:\WINNT\system32\kbdhela3.dll
2006-09-06 15:29 6,656 -ra------ C:\WINNT\system32\kbdcz2.dll
2006-09-06 15:29 6,656 -ra------ C:\WINNT\system32\kbdcz1.dll
2006-09-06 15:29 6,656 -ra------ C:\WINNT\system32\kbdcr.dll
2006-09-06 15:29 6,656 -ra------ C:\WINNT\system32\KBDAL.DLL
2006-09-06 15:29 6,144 -ra------ C:\WINNT\system32\kbdtuq.dll
2006-09-06 15:29 6,144 -ra------ C:\WINNT\system32\kbdtuf.dll
2006-09-06 15:29 6,144 -ra------ C:\WINNT\system32\kbdlv1.dll
2006-09-06 15:29 6,144 -ra------ C:\WINNT\system32\kbdlv.dll
2006-09-06 15:29 6,144 -ra------ C:\WINNT\system32\kbdhela2.dll
2006-09-06 15:29 6,144 -ra------ C:\WINNT\system32\kbdgkl.dll
2006-09-06 15:29 6,144 -ra------ C:\WINNT\system32\kbdest.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdycc.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbduzb.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdur.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdtat.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdru1.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdru.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdro.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdpl1.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdmon.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdlt1.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdlt.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdkyr.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdkaz.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdhu1.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdhe319.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdhe220.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdhe.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdbu.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdblr.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdazel.dll
2006-09-06 15:29 5,632 -ra------ C:\WINNT\system32\kbdaze.dll
2006-09-06 15:29 24,661 --a------ C:\WINNT\system32\spxcoins.dll
2006-09-06 15:29 13,312 --a------ C:\WINNT\system32\irclass.dll
2006-09-01 06:03 10 --a------ C:\WINNT\smdat32m.sys
2006-08-30 13:17 57,344 --a------ C:\WINNT\uneng.exe
2006-08-30 13:17 49,152 --a------ C:\WINNT\system32\cdrtc.dll
2006-08-30 13:17 45,056 --a------ C:\WINNT\system32\cdral.dll
2006-08-30 13:17 221,184 --a------ C:\WINNT\system32\wmpns.dll
2006-08-30 13:06 109,568 --a------ C:\WINNT\system32\pxinsi64.exe
2006-08-30 13:06 108,544 --a------ C:\WINNT\system32\pxcpyi64.exe
2006-08-24 00:33 541,184 C:\WINNT\system32Dead or Alive 4.scr
2006-08-24 00:33 541,184 C:\WINNT\system32Dead or Alive 4.exe
2006-08-23 23:52 86,016 --a------ C:\WINNT\unvise32qt.exe
2006-08-23 23:39 4,096 --a------ C:\WINNT\system32\ksuser.dll
2006-08-23 23:31 967 --a------ C:\WINNT\ScUnin.pif
2006-08-23 23:31 94,208 --a------ C:\WINNT\ScUnin.exe
2006-08-23 19:55 94,208 --a------ C:\WINNT\system32\GTW32N50.dll
2006-08-23 19:55 243,328 --a------ C:\WINNT\system32\rt2500.sys
2006-08-23 19:55 17,992 --a------ C:\WINNT\system32\bcm42rly.sys
2006-08-23 19:55 17,992 --a------ C:\WINNT\bcm42rly.sys
2006-08-23 19:55 15,872 --a------ C:\WINNT\system32\GTNDIS5.sys
2006-08-23 01:08 25,600 --a------ C:\WINNT\system32\borlndmm.dll
2006-08-23 01:08 1,496,064 --a------ C:\WINNT\system32\cc3250mt.dll
2006-08-23 00:34 61,440 --a------ C:\WINNT\system32\W32N50.dll
2006-08-23 00:34 16,068 --a------ C:\WINNT\system32\PCANDIS5.sys
2006-08-23 00:13 306,688 --a------ C:\WINNT\IsUninst.exe
2006-08-23 00:01 208,896 --a------ C:\WINNT\system32\NVUNINST.EXE
2006-08-22 23:57 94,208 --a------ C:\WINNT\DEVREG.DLL
2006-08-22 23:57 77,824 --a------ C:\WINNT\system32\EAXAC3.DLL
2006-08-22 23:57 69,632 --a------ C:\WINNT\system32\ctcoinst.dll
2006-08-22 23:57 65,536 --a------ C:\WINNT\system32\a3d.dll
2006-08-22 23:57 606,208 --a------ C:\WINNT\system32\ctsblfx.dll
2006-08-22 23:57 581,632 --a------ C:\WINNT\system32\ctaudfx.dll
2006-08-22 23:57 57,344 --a------ C:\WINNT\system32\CTAGENT.DLL
2006-08-22 23:57 53,248 --a------ C:\WINNT\system32\KILLAPPS.EXE
2006-08-22 23:57 53,248 --a------ C:\WINNT\system32\AC3API.DLL
2006-08-22 23:57 49,152 --a------ C:\WINNT\MIDIDEF.EXE
2006-08-22 23:57 49,152 --a------ C:\WINNT\CTDCRES.DLL
2006-08-22 23:57 462,848 --a------ C:\WINNT\system32\CTDC0001.DLL
2006-08-22 23:57 45,056 --a------ C:\WINNT\system32\CTSPKHLP.DLL
2006-08-22 23:57 36,864 --a------ C:\WINNT\system32\sfman32.dll
2006-08-22 23:57 36,864 --a------ C:\WINNT\system32\REGPLIB.EXE
2006-08-22 23:57 36,864 --a------ C:\WINNT\system32\CTEMUPIA.DLL
2006-08-22 23:57 327,680 --a------ C:\WINNT\system32\CTDC0000.DLL
2006-08-22 23:57 28,672 --a------ C:\WINNT\system32\CTMMEP.DLL
2006-08-22 23:57 24,576 --a------ C:\WINNT\system32\CTHELPER.EXE
2006-08-22 23:57 20,480 --a------ C:\WINNT\system32\ENSDEF.EXE
2006-08-22 23:57 20,480 --a------ C:\WINNT\INRES.DLL
2006-08-22 23:57 184,320 --a------ C:\WINNT\PSCONV.EXE
2006-08-22 23:57 180,224 --a------ C:\WINNT\READREG.EXE
2006-08-22 23:57 172,032 --a------ C:\WINNT\system32\SFMS32.DLL
2006-08-22 23:57 159,744 --a------ C:\WINNT\system32\CTOSUSER.DLL
2006-08-22 23:57 155,648 --a------ C:\WINNT\system32\OPENAL32.DLL
2006-08-22 23:57 143,360 --a------ C:\WINNT\system32\ctdvinst.dll
2006-08-22 23:57 139,264 --a------ C:\WINNT\system32\CTDCIFCE.DLL
2006-08-22 23:57 126,976 --a------ C:\WINNT\system32\CTASIO.DLL
2006-08-22 23:57 118,784 --a------ C:\WINNT\system32\CTSCAL.DLL
2006-08-22 23:57 114,688 --a------ C:\WINNT\system32\PIAPROXY.DLL
2006-08-22 23:57 114,688 --a------ C:\WINNT\system32\commonfx.dll
2006-08-22 23:57 110,592 --a------ C:\WINNT\system32\CTDPROXY.DLL
2006-08-22 23:57 106,496 --a------ C:\WINNT\system32\CTTHXCAL.DLL
2006-08-22 07:41 977,680 --a------ C:\WINNT\system32\vfpodbc.dll
2006-08-22 07:41 74,752 --a------ C:\WINNT\system32\storprop.dll
2006-08-22 07:40 97,792 --a------ C:\WINNT\system32\comrepl.dll
2006-08-22 07:40 956,416 --a------ C:\WINNT\system32\msdtctm.dll
2006-08-22 07:40 91,136 --a------ C:\WINNT\system32\mtxoci.dll
2006-08-22 07:40 81,920 --a------ C:\WINNT\system32\isign32.dll
2006-08-22 07:40 77,584 --a------ C:\WINNT\system32\scripto.dll
2006-08-22 07:40 69,392 --a------ C:\WINNT\system32\shim.dll
2006-08-22 07:40 68,368 --a------ C:\WINNT\system32\regsvc.exe
2006-08-22 07:40 679,424 --a------ C:\WINNT\system32\inetcomm.dll
2006-08-22 07:40 64,512 --a------ C:\WINNT\system32\acctres.dll
2006-08-22 07:40 625,152 --a------ C:\WINNT\system32\catsrvut.dll
2006-08-22 07:40 60,416 --a------ C:\WINNT\system32\colbact.dll
2006-08-22 07:40 58,880 --a------ C:\WINNT\system32\msdtclog.dll
2006-08-22 07:40 56,320 --a------ C:\WINNT\system32\servdeps.dll
2006-08-22 07:40 540,160 --a------ C:\WINNT\system32\comuid.dll
2006-08-22 07:40 5,120 --a------ C:\WINNT\system32\dcomcnfg.exe
2006-08-22 07:40 498,688 --a------ C:\WINNT\system32\clbcatq.dll
2006-08-22 07:40 48,128 --a------ C:\WINNT\system32\inetres.dll
2006-08-22 07:40 444,176 --a------ C:\WINNT\system32\oieng400.dll
2006-08-22 07:40 44,544 --a------ C:\WINNT\system32\hticons.dll
2006-08-22 07:40 426,496 --a------ C:\WINNT\system32\msdtcprx.dll
(continued)

rozsa
2006-09-12, 00:57
2006-08-22 07:40 33,040 --a------ C:\WINNT\system32\dbmsspxn.dll
2006-08-22 07:40 33,040 --a------ C:\WINNT\system32\dbmsadsn.dll
2006-08-22 07:40 28,944 --a------ C:\WINNT\system32\dbmsvinn.dLL
2006-08-22 07:40 274,944 --a------ C:\WINNT\system32\mstask.dll
2006-08-22 07:40 252,928 --a------ C:\WINNT\system32\msoeacct.dll
2006-08-22 07:40 25,360 --a------ C:\WINNT\system32\rapilib.dll
2006-08-22 07:40 24,848 --a------ C:\WINNT\system32\msdart32.dll
2006-08-22 07:40 236,304 --a------ C:\WINNT\system32\msclus.dll
2006-08-22 07:40 227,840 --a------ C:\WINNT\system32\avtapi.dll
2006-08-22 07:40 225,792 --a------ C:\WINNT\system32\catsrv.dll
2006-08-22 07:40 20,480 --a------ C:\WINNT\system32\mtxdm.dll
2006-08-22 07:40 185,344 --a------ C:\WINNT\system32\cmprops.dll
2006-08-22 07:40 183,808 --a------ C:\WINNT\system32\accwiz.exe
2006-08-22 07:40 165,136 --a------ C:\WINNT\system32\ntdsutil.exe
2006-08-22 07:40 146,192 --a------ C:\WINNT\system32\msdtcui.dll
2006-08-22 07:40 131,584 --a------ C:\WINNT\system32\sndrec32.exe
2006-08-22 07:40 130,832 --a------ C:\WINNT\system32\CLUSTER.EXE
2006-08-22 07:40 119,056 --a------ C:\WINNT\system32\sqlstr.dll
2006-08-22 07:40 110,080 --a------ C:\WINNT\system32\clbcatex.dll
2006-08-22 07:40 105,984 --a------ C:\WINNT\system32\msoert2.dll
2006-08-22 07:40 1,267,200 --a------ C:\WINNT\system32\comsvcs.dll
2006-08-22 00:24 112,128 --a------ C:\WINNT\system32\mapi32.dll
2006-08-22 00:24 0 --ah----- C:\CONFIG.SYS
2006-08-22 00:24 0 --ah----- C:\AUTOEXEC.BAT
2006-08-22 00:23 81,920 --a------ C:\WINNT\system32\ils.dll
2006-08-22 00:23 73,728 --a------ C:\WINNT\system32\icwdial.dll
2006-08-22 00:23 69,632 --a------ C:\WINNT\system32\msconf.dll
2006-08-22 00:23 65,536 --a------ C:\WINNT\system32\icwphbk.dll
2006-08-22 00:23 34,560 --a------ C:\WINNT\system32\mnmdd.dll
2006-08-22 00:23 32,768 --a------ C:\WINNT\system32\mnmsrvc.exe
2006-08-22 00:23 28,672 --a------ C:\WINNT\system32\nmmkcert.dll
2006-08-22 00:23 274,432 --a------ C:\WINNT\system32\inetcfg.dll
2006-08-22 00:23 16,384 --a------ C:\WINNT\system32\icfgnt5.dll
2006-08-22 00:23 12,288 --a------ C:\WINNT\system32\nmevtmsg.dll
2006-08-22 00:23 12,288 --a------ C:\WINNT\system32\mstinit.exe
2006-08-22 00:22 61,712 --a------ C:\WINNT\system32\oiui400.dll
2006-08-22 00:22 347,136 --a------ C:\WINNT\system32\hypertrm.dll
2006-08-22 00:22 343,040 --a------ C:\WINNT\system32\mspaint.exe
2006-08-21 23:15 72,192 --a------ C:\WINNT\system32\sdbapiu.dll
2006-08-21 23:15 6,928 --a------ C:\WINNT\system32\perfvd.exe
2006-08-21 23:15 6,656 --a------ C:\WINNT\system32\wuauserv.dll
2006-08-21 23:15 48,200 --a------ C:\WINNT\system32\scrdx86.dll
2006-08-21 23:15 48,200 --a------ C:\WINNT\system32\scrdenrl.dll
2006-08-21 23:15 45,840 --a------ C:\WINNT\system32\msmqprop.exe
2006-08-21 23:15 4,010,496 --a------ C:\WINNT\system32\sp3res.dll
2006-08-21 23:15 382,464 --a------ C:\WINNT\system32\qmgr.dll
2006-08-21 23:15 34,576 --a------ C:\WINNT\system32\wzcsetup.exe
2006-08-21 23:15 24,336 --a------ C:\WINNT\system32\ftpqfe.exe
2006-08-21 23:15 18,944 --a------ C:\WINNT\system32\qmgrprxy.dll
2006-08-21 23:15 18,192 --a------ C:\WINNT\system32\sp4iis.exe
2006-08-21 23:15 124,184 --a------ C:\WINNT\system32\wuauclt.exe
2006-08-21 23:15 11,536 --a------ C:\WINNT\system32\sptsupd.exe
2006-08-21 23:15 1,343,768 --a------ C:\WINNT\system32\wuaueng.dll
2006-08-21 23:14 3,856 --a------ C:\WINNT\system32\SVCPACK1.DLL
2006-08-21 23:06 0 -rahs---- C:\MSDOS.SYS
2006-08-21 23:06 0 -rahs---- C:\IO.SYS
2006-08-21 18:05 85,504 --a------ C:\WINNT\system32\catsrvps.dll
2006-08-21 18:05 80,384 --a------ C:\WINNT\system32\charmap.exe
2006-08-21 18:05 73,216 --a------ C:\WINNT\system32\avwav.dll
2006-08-21 18:05 641,808 --a------ C:\WINNT\system32\xiffr3_0.dll
2006-08-21 18:05 605,696 --a------ C:\WINNT\system32\getuname.dll
2006-08-21 18:05 60,688 --a------ C:\WINNT\system32\imgcmn.dll
2006-08-21 18:05 6,144 --a------ C:\WINNT\system32\msdtc.exe
2006-08-21 18:05 56,832 --a------ C:\WINNT\system32\sol.exe
2006-08-21 18:05 55,296 --a------ C:\WINNT\system32\freecell.exe
2006-08-21 18:05 54,272 --a------ C:\WINNT\system32\stclient.dll
2006-08-21 18:05 5,632 --a------ C:\WINNT\system32\write.exe
2006-08-21 18:05 4,096 --a------ C:\WINNT\system32\mtxex.dll
2006-08-21 18:05 38,160 --a------ C:\WINNT\system32\jpeg2x32.dll
2006-08-21 18:05 35,328 --a------ C:\WINNT\system32\winchat.exe
2006-08-21 18:05 337,680 --a------ C:\WINNT\system32\cdplayer.exe
2006-08-21 18:05 33,552 --a------ C:\WINNT\system32\tifflt.dll
2006-08-21 18:05 27,920 --a------ C:\WINNT\system32\jpeg1x32.dll
2006-08-21 18:05 25,872 --a------ C:\WINNT\system32\oitwa400.dll
2006-08-21 18:05 25,600 --a------ C:\WINNT\system32\comaddin.dll
2006-08-21 18:05 25,088 --a------ C:\WINNT\system32\mtxlegih.dll
2006-08-21 18:05 21,776 --a------ C:\WINNT\system32\oislb400.dll
2006-08-21 18:05 16,384 --a------ C:\WINNT\system32\avmeter.dll
2006-08-21 18:05 147,456 --a------ C:\WINNT\system32\comsnap.dll
2006-08-21 18:05 138,752 --a------ C:\WINNT\system32\sndvol32.exe
2006-08-21 18:05 13,584 --a------ C:\WINNT\system32\imgshl.dll
2006-08-21 18:05 13,072 --a------ C:\WINNT\system32\oissq400.dll
2006-08-21 18:05 13,072 --a------ C:\WINNT\system32\oiprt400.dll
2006-08-21 18:05 123,392 --a------ C:\WINNT\system32\mplay32.exe
2006-08-21 18:05 119,808 --a------ C:\WINNT\system32\winmine.exe
2006-08-21 18:05 114,688 --a------ C:\WINNT\system32\calc.exe
2006-08-21 18:05 11,776 --a------ C:\WINNT\system32\xolehlp.dll
2006-08-21 18:05 102,912 --a------ C:\WINNT\system32\clipbrd.exe
2006-08-21 17:56 5,392 --a------ C:\WINNT\delttsul.exe
2006-08-21 17:56 176,157 --a------ C:\WINNT\system32\dgrpsetu.dll
2006-08-21 17:56 103,424 --a------ C:\WINNT\system32\EqnClass.Dll
2006-08-14 19:52 78,848 --a------ C:\WINNT\system32\nsn15.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-11 16:50 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-09 01:15 -------- d-a------ C:\Program Files\Common Files
2006-09-09 00:54 -------- d-------- C:\Program Files\Common Files\iwkf
2006-09-08 21:07 777472 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-09-08 21:07 4992 --a------ C:\WINNT\system32\drivers\avgtdi.sys
2006-09-08 21:07 4288 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2006-09-08 21:07 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-09-08 21:07 23424 --a------ C:\WINNT\system32\drivers\avgmfrs.sys
2006-09-08 21:07 -------- d-------- C:\Program Files\Grisoft
2006-09-08 21:07 -------- d-------- C:\Documents and Settings\Trey\Application Data\AVG7
2006-09-08 21:06 -------- d---s---- C:\Documents and Settings\Trey\Application Data\Microsoft
2006-09-07 16:18 -------- d-------- C:\Program Files\Messenger
2006-09-07 16:17 -------- d-------- C:\Program Files\windows media player
2006-09-07 16:17 -------- d-------- C:\Program Files\internet explorer
2006-09-07 16:11 -------- d-------- C:\Program Files\outlook express
2006-09-07 16:11 -------- d-------- C:\Program Files\Common Files\system
2006-09-07 16:03 -------- d-------- C:\Program Files\PSCloner
2006-09-06 17:38 -------- d-------- C:\Program Files\NewzToolz
2006-09-06 17:06 -------- d-------- C:\Documents and Settings\Trey\Application Data\Lavasoft
2006-09-06 16:20 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-06 15:57 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-06 15:47 -------- d-------- C:\Program Files\xerox
2006-09-06 15:44 -------- d-------- C:\Program Files\Online Services
2006-09-06 15:43 -------- d-------- C:\Program Files\netmeeting
2006-09-06 15:43 -------- d-------- C:\Program Files\Movie Maker
2006-09-06 15:43 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-09-06 15:38 -------- d-------- C:\Program Files\Windows NT
2006-09-06 15:38 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-06 15:29 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared
2006-09-06 15:29 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-09-04 14:08 -------- d-------- C:\Program Files\DivX
2006-09-04 00:05 -------- d-------- C:\Program Files\MyGlobalSearch
2006-09-01 06:24 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-01 06:24 -------- d-------- C:\Program Files\Kazaa
2006-09-01 06:05 233472 --a------ C:\Program Files\Uninstall Need2Find Bar.dll
2006-09-01 06:05 -------- d-------- C:\Program Files\Need2Find
2006-09-01 01:50 -------- d-------- C:\Documents and Settings\Trey\Application Data\Kazaa Lite
2006-08-30 13:17 58000 --a------ C:\WINNT\system32\drivers\cdr4_2K.sys
2006-08-30 13:17 23420 --a------ C:\WINNT\system32\drivers\cdralw2k.sys
2006-08-30 13:17 -------- d-------- C:\Program Files\Common Files\Adaptec Shared
2006-08-27 14:41 -------- d-------- C:\Documents and Settings\Trey\Application Data\Identities
2006-08-27 14:29 -------- d-------- C:\Documents and Settings\Trey\Application Data\Mozilla
2006-08-27 13:39 -------- d-------- C:\Documents and Settings\Trey\Application Data\Sun
2006-08-25 02:02 -------- d-------- C:\Program Files\Java
2006-08-25 02:00 -------- d-------- C:\Program Files\Common Files\Java
2006-08-24 14:24 -------- d-------- C:\Documents and Settings\Trey\Application Data\Macromedia
2006-08-24 00:33 541184 --a------ C:\WINNT\system32\Dead or Alive 4.scr
2006-08-24 00:33 541184 --a------ C:\WINNT\system32\Dead or Alive 4.exe
2006-08-23 20:33 -------- d-------- C:\Program Files\Microsoft Office
2006-08-23 20:32 -------- d-------- C:\Program Files\Snapshot Viewer
2006-08-23 20:32 -------- d-------- C:\Program Files\microsoft frontpage
2006-08-23 20:29 -------- d-------- C:\Program Files\Common Files\Designer
2006-08-23 20:26 -------- d-------- C:\Documents and Settings\Trey\Application Data\Microsoft Web Folders
2006-08-23 19:55 19387 --a------ C:\WINNT\system32\drivers\AegisP.sys
2006-08-23 19:55 -------- d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2006-08-23 01:38 -------- d-------- C:\Program Files\WinZip
2006-08-22 23:59 -------- d-------- C:\Program Files\Creative
2006-08-22 19:20 -------- d-------- C:\Program Files\PowerQuest
2006-08-22 19:11 -------- d-------- C:\Program Files\PartitionMagic
2006-08-22 00:23 271 ---hs---- C:\Program Files\desktop.ini
2006-08-22 00:23 21952 --ah----- C:\Program Files\folder.htt
2006-08-22 00:23 -------- d-------- C:\Program Files\Common Files\Services
2006-08-21 23:18 -------- d-ah----- C:\Program Files\WindowsUpdate
2006-08-21 23:06 -------- d-------- C:\Program Files\ComPlus Applications
2006-08-21 18:05 -------- d-------- C:\Program Files\Accessories
2006-08-21 17:56 -------- d-a------ C:\Program Files\Common Files\ODBC
2006-08-07 10:17 61440 --a------ C:\WINNT\system32\BattyRun2.dll
2006-08-04 10:37 73728 --a------ C:\WINNT\system32\dpl100.dll
2006-08-04 10:37 196608 --a------ C:\WINNT\system32\dtu100.dll
2006-07-26 21:05 3596288 --a------ C:\WINNT\system32\qt-dx331.dll
2006-07-26 21:05 20640 --a------ C:\WINNT\system32\drivers\PxHelp20.sys
2006-07-21 03:24 72704 --a------ C:\WINNT\system32\hlink.dll
2006-07-03 16:40 778240 --a------ C:\WINNT\system32\divx_xx0c.dll
2006-07-03 16:40 778240 --a------ C:\WINNT\system32\divx_xx07.dll
2006-07-03 16:40 761856 --a------ C:\WINNT\system32\divx_xx11.dll
2006-07-03 16:40 620180 --a------ C:\WINNT\system32\DivX.dll
2006-06-21 05:49 53248 --a------ C:\WINNT\system32\dpuGUI10.dll
2006-06-21 05:43 520192 --a------ C:\WINNT\system32\DivXsm.exe
2006-06-21 05:42 200704 --a------ C:\WINNT\system32\ssldivx.dll
2006-06-21 05:42 1044480 --a------ C:\WINNT\system32\libdivx.dll
2006-06-21 05:34 593920 --a------ C:\WINNT\system32\dpuGUI11.dll
2006-06-21 05:34 57344 --a------ C:\WINNT\system32\dpv11.dll
2006-06-21 05:34 344064 --a------ C:\WINNT\system32\dpus11.dll
2006-06-21 05:34 294912 --a------ C:\WINNT\system32\dpu11.dll
2006-06-21 05:34 294912 --a------ C:\WINNT\system32\dpu10.dll
2006-06-21 05:33 12288 --a------ C:\WINNT\system32\DivXWMPExtType.dll
2006-06-21 05:33 118784 --a------ C:\WINNT\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"CTHelper"="CTHELPER.EXE"
"QuickTime Task"="\"C:\\documents and settings\\trey\\desktop\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"SemanticInsight"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"sys017570991501"="C:\\WINNT\\sys017570991501.exe"
"lqf1e597"="RUNDLL32.EXE w026c5ad.dll,n 0041e59300000003026c5ad"
"win32085017570991"="C:\\WINNT\\win32085017570991.exe"
"ms037099150175"="C:\\WINNT\\ms037099150175.exe"
"w0067185.dll"="RUNDLL32.EXE w0067185.dll,I2 0041e59300067185"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"{B3-34-48-8E-ZN}"="C:\\winnt\\system32\\ojdsregk.exe GEN001"
"TheMonitor"="C:\\WINNT\\Duce6.exe"
"ExploreUpdSched"="C:\\WINNT\\system32\\twinkpex.exe GEN001"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CMFibula"="\"C:\\Program Files\\CMFibula\\CMFibula.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PSCloner"="\"C:\\Program Files\\PSCloner\\PSCloner.exe\""
"iwkf"="C:\\PROGRA~1\\COMMON~1\\iwkf\\iwkfm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"=""
"tscuninstall"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"=""
"tscuninstall"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Completion time: Mon 09/11/2006 16:52:44.72
ComboFix.txt
ComboFix2.txt

Hope this helps.

And I appreciate your help.

Rawe
2006-09-12, 12:11
Lets continue :)

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please rename your HijackThis.exe to hjt.exe. Make sure you run HijackThis next time using this renamed file.

2. Please download Ewido Anti-spyware (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
Once the setup is complete you will need run Ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here (http://www.ewido.net/en/download/updates/).

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-select "Only if threats were found"

Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

==

3. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right-click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk ( C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
4. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

5. Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by double-clicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the Complete script execution box to pop up and hit OK.
Press Exit to terminate the BFU program.


==

6. IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning process:
Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
Ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close Ewido.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :bigthumb:

rozsa
2006-09-13, 10:13
Heres the updated logs and stuffs:

Logfile of HijackThis v1.99.1
Scan saved at 1:10:59 AM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\documents and settings\trey\desktop\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Trey\Desktop\hjt.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,oyfmdje.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\trey\desktop\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [sys017570991501] C:\WINNT\sys017570991501.exe
O4 - HKLM\..\Run: [lqf1e597] RUNDLL32.EXE w026c5ad.dll,n 0041e59300000003026c5ad
O4 - HKLM\..\Run: [win32085017570991] C:\WINNT\win32085017570991.exe
O4 - HKLM\..\Run: [ms037099150175] C:\WINNT\ms037099150175.exe
O4 - HKLM\..\Run: [w0067185.dll] RUNDLL32.EXE w0067185.dll,I2 0041e59300067185
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "D:\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iwkf] C:\PROGRA~1\COMMON~1\iwkf\iwkfm.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\ewido anti-spyware 4.0\guard.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:35:10 AM 9/13/2006

+ Scan result:



C:\WINNT\frrvlezq.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINNT\system32\BattyRun2.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\WINNT\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1177238915-484763869-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Start Menu\Programs\UCmore - The Search Accelerator -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Start Menu\Programs\UCmore - The Search Accelerator\How To Uninstall.lnk -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Start Menu\Programs\UCmore - The Search Accelerator\UCmore - The Search Accelerator.lnk -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Start Menu\Programs\UCmore - The Search Accelerator\UCmore Tour.lnk -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll -> Adware.Zango : Cleaned with backup (quarantined).
C:\TIGEN001.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINNT\system32\ojdsregk.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
:mozilla.244:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.258:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.271:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.274:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.80:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.81:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.83:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@newsinteractive.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.104:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.105:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.110:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.111:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.235:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.236:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.237:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.238:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.427:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.428:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.429:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.400:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.401:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@bestoffersnetworks[2].txt -> TrackingCookie.Bestoffersnetworks : Cleaned with backup (quarantined).
:mozilla.142:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.147:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@cliks[2].txt -> TrackingCookie.Cliks : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.176:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Estat : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.79:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.380:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.381:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.382:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@need2find[2].txt -> TrackingCookie.Need2find : Cleaned with backup (quarantined).
:mozilla.269:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.275:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.112:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.113:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.114:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.115:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.281:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.282:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.171:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.172:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.173:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.174:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.318:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.319:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.320:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.321:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.345:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.346:C:\Documents and Settings\Trey\Application
(continued)

rozsa
2006-09-13, 10:14
Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.347:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.348:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.349:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.350:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.351:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.352:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.353:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.303:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.304:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.305:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.306:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.307:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.364:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Weborama : Cleaned with backup (quarantined).
:mozilla.365:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Weborama : Cleaned with backup (quarantined).
:mozilla.398:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Trey\Cookies\trey@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Trey\Application Data\Mozilla\Firefox\Profiles\gxjnf6rr.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end

Rawe
2006-09-13, 11:37
Looking better already.. :)

Go ahead and delete Brute Force Uninstaller, alcanshorty.bfu and uninstall Ewido if you wish. You may also delete VundoFix if you want.

Download KazaaBegone.zip (http://www.spywareinfo.com/~merijn/files/kazaabegone.zip) to your desktop.

Now, unzip it to its own folder on the desktop, open the folder and double-click KazaaBegone.exe to run it. Follow prompts on screen if there is any, and reboot if the tools asks you to. Reboot anyway even if it doesn't.

Once that is done, please run a scan with HijackThis and check the following objects for removal if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,oyfmdje.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [sys017570991501] C:\WINNT\sys017570991501.exe
O4 - HKLM\..\Run: [lqf1e597] RUNDLL32.EXE w026c5ad.dll,n 0041e59300000003026c5ad
O4 - HKLM\..\Run: [win32085017570991] C:\WINNT\win32085017570991.exe
O4 - HKLM\..\Run: [ms037099150175] C:\WINNT\ms037099150175.exe
O4 - HKLM\..\Run: [w0067185.dll] RUNDLL32.EXE w0067185.dll,I2 0041e59300067185
O4 - HKCU\..\Run: [iwkf] C:\PROGRA~1\COMMON~1\iwkf\iwkfm.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com

Close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

----

Lets run the following online scan...

Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols3.shtml#)

Note: This scanner is for Internet Explorer only!
Follow the instructions here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs, click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and copy & paste the entire report in your next reply along with a fresh HijackThis log. :bigthumb:

rozsa
2006-09-15, 06:17
Here ya go.

Result: 18 malware found
PurityScan (spyware)

* System

RXToolbar (spyware)

* System

Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System

UCmore (spyware)

* System

W32/DLoader.AVER (virus)

* C:\BINTHEREDUNTHAT\MS037099150175.EXE
* C:\BINTHEREDUNTHAT\SYS017570991501.EXE

W32/PurityScan.ADH.dropper (virus)

* C:\WINNT\SRVEJFRRQS.EXE

W32/Smalldrp.GOJ (virus)

* C:\WINNT\SETUP90.EXE


Logfile of HijackThis v1.99.1
Scan saved at 10:17:10 PM, on 9/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\documents and settings\trey\desktop\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Trey\Desktop\hjt.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,oyfmdje.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\trey\desktop\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "D:\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\ewido anti-spyware 4.0\guard.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

Rawe
2006-09-15, 14:20
Please download Qoofix by RubbeR DuckY (http://www.malwarebytes.org/Qoofix.zip):
Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and double-click Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.
Post back with a fresh HijackThis log and the contents of the Qoofix logfile. :)

Note: If you have problems with the Qoofix logfile, open it manually from its own folder -> C:\Qoofix.

rozsa
2006-09-16, 12:54
Here ya go!

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [9/16/2006] at [4:49:18 AM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [9/16/2006] at [4:51:10 AM]

Note: Some registry keys may have been removed.



Logfile of HijackThis v1.99.1
Scan saved at 4:53:36 AM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\documents and settings\trey\desktop\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
D:\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
D:\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Trey\Desktop\hjt.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\trey\desktop\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "D:\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\ewido anti-spyware 4.0\guard.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)



Hey, I was also wondering how I can go about getting rid of this annoying Windows Messenger too that I didn't want. I saw it as an option in HJT and didn't know if that was a safe route to take to just get rid of it there? And thanks again for all the help and time you have given me. :)

Rawe
2006-09-16, 14:44
Yes these are safe to fix with HijackThis..

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Hows the system running? Problems? Popups? Anything? :)

If you are still having issues I'll check another ComboFix log or we'll run WinPFind.. Let me know.

rozsa
2006-09-17, 01:05
System is runnin perfectly. No popups or anything. Thank you SO MUCH!
You are awesome!!! I really appreciate all you have done.

-Andrew

Rawe
2006-09-17, 01:19
Great to hear! :bigthumb:


Please read here how to clear old restore points and create a new one (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx).

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG (http://www.grisoft.com/) or Anti-Vir (http://www.free-av.com/), or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definatley a must have. Two good free versions are Kerio Personal Firewall (http://www.kerio.com/us/kpf_download.html) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp). (Note to only use 1 at-the-time)
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).And also see TonyKlein's good advice;
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html)

LonnyRJones
2006-09-24, 11:35
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).