View Full Version : Command.exe Wooes
Riceburner206
2006-10-14, 06:00
I've been trying to get rid of this program that's causing popups everytime I use I.E.. Here is a log HiJack This. I've tried some basics like cleaning up the temp files and trying to delete them from my registry/msconfig but nothing is working. :(
HiJack This:
Logfile of HijackThis v1.99.1
Scan saved at 8:56:03 PM, on 10/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\csrss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\V2VuZG5hcmEgUGhvaw\command.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
G:\Program Files\AIM\aim.exe
G:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
G:\Program Files\uTorrent\utorrent.exe
G:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
G:\Program Files\Netropa\Onscreen Display\OSD.exe
G:\Program Files\MSI\Core Center\CoreCenter.exe
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\System32\alg.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\WinRAR\WinRAR.exe
G:\DOCUME~1\RICEBU~1\LOCALS~1\Temp\Rar$EX00.578\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] G:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] G:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [µTorrent] "G:\Program Files\uTorrent\utorrent.exe"
O4 - Global Startup: CoreCenter.lnk = G:\Program Files\MSI\Core Center\CoreCenter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160612745000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - G:\WINDOWS\V2VuZG5hcmEgUGhvaw\command.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - G:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
pskelley
2006-10-15, 23:09
Welcome to the forum, it appears you have not read the Pinned information at the top of the page where you posted.
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288
Please follow the instruction in that link and post the information from the scanner you choose.
HJT is running from a TEMP folder and we will have no backups for safety if needed. Move HJT.exe to here: C:\HJT\HijackThis.exe. If you need more instructions use these:
http://russelltexas.com/malware/createhjtfolder.htm
While you are there, because we may be dealing with a Vundo infection also, rename HJT to say Riceburner206.exe. If Vundo is present, we should be able to see it in the next HJT log.
Download the trial version of AVG Anti-Spyware 7.5 (formerly ewido anti-spyware 4.0) from here:
http://www.ewido.net/en/download/
Install AVG Anti-Spyware
The program will now go to the main screen.
You will need to update AVG Anti-Spyware to the latest definition files.
On the left-hand side of the main screen click the Update Button.
Click on Start.
The update will start and a progress bar will show the updates being installed.
After the updates are installed, close AVG Anti-Spyware.
Dont run a scan yet
Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
Please start AVG Anti-Spyware , and run a full scan.
Click on Scanner
Click on Complete System Scan to start the scan process.
Let the program scan the machine, it may take some time.
AVG Anti-Spyware will list any infections found on the left hand side.
When the scan has finished, it will automatically set the recommended action. Click "Apply all actions" AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click OK.
When the scan finishes click on "Save Report", then "Save Report As". This will create a text file.
Save the report to your Desktop.
Close AVG Anti-Spyware
Post the results from the Antivirus scan, AVG Anti-Spyware scan and a new HJT log. Add any comments you think will help.
Thanks
Riceburner206
2006-10-16, 04:29
Sorry. Forgot to mention I've run Spy-Bot, Trend Micro, and Panda in hopes of removing it. Here are the reports.
AVG Scan Report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:20:31 PM 10/15/2006
+ Scan result:
G:\Documents and Settings\All Users\Application Data\AutoSearch.dll -> Adware.AutoSearch : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016104.exe/AutoSearch.dll -> Adware.AutoSearch : Ignored.
G:\WINDOWS\V2VuZG5hcmEgUGhvaw\asappsrv.dll -> Adware.CommAd : Ignored.
G:\WINDOWS\V2VuZG5hcmEgUGhvaw\command.exe -> Adware.CommAd : Ignored.
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\Classes\AutoSearch.AutoSearchObj -> Adware.CoolWebSearch : Ignored.
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\Classes\AutoSearch.AutoSearchObj.1 -> Adware.CoolWebSearch : Ignored.
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\Classes\AutoSearch.AutoSearchObj\CLSID -> Adware.CoolWebSearch : Ignored.
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\Classes\AutoSearch.AutoSearchObj\CurVer -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Ignored.
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016093.exe -> Adware.MediaMotor : Ignored.
G:\WINDOWS\motorsix.ocx -> Adware.MediaMotor : Ignored.
G:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP25\A0018142.exe -> Adware.PurityScan : Ignored.
G:\WINDOWS\system32\nqay.dll -> Adware.PurityScan : Ignored.
G:\WINDOWS\system32\sуstem32\rυndll_exe.vir -> Adware.PurityScan : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016095.exe -> Adware.SaveNow : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016076.dll -> Adware.SurfSide : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016101.exe -> Adware.SurfSide : Ignored.
G:\WINDOWS\system32\tuvuuss.dll -> Adware.Virtumonde : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016069.exe -> Adware.WebHancer : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016070.dll -> Adware.WebHancer : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016071.exe -> Adware.WebHancer : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016077.dll -> Adware.WebHancer : Ignored.
G:\WINDOWS\webhdll.dll_tobedeleted -> Adware.WebHancer : Ignored.
G:\Program Files\Common Files\Таsks\netdde.exe -> Downloader.PurityScan.cx : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016108.exe -> Downloader.Small.buy : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016099.exe -> Downloader.Small.cyh : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016100.exe -> Downloader.Small.cyh : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016072.exe -> Downloader.VB.anl : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016073.exe -> Downloader.VB.anl : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016074.exe -> Downloader.VB.anl : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016094.exe -> Downloader.VB.anl : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016092.exe -> Downloader.VB.wz : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016066.exe -> Hijacker.Small : Ignored.
G:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Ignored.
G:\Program Files\Network Monitor231\netmonasd.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@2o7[2].txt -> TrackingCookie.2o7 : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adbrite[1].txt -> TrackingCookie.Adbrite : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adrevolver[1].txt -> TrackingCookie.Adrevolver : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@z1.adserver[1].txt -> TrackingCookie.Adserver : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adtech[2].txt -> TrackingCookie.Adtech : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@bluestreak[2].txt -> TrackingCookie.Bluestreak : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Ignored.
G:\Documents and Settings\LocalService\Cookies\system@adservices6.enhance[2].txt -> TrackingCookie.Enhance : Ignored.
G:\Documents and Settings\LocalService\Cookies\system@c.enhance[2].txt -> TrackingCookie.Enhance : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@e-2dj6wjkyegajokq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@as-us.falkag[2].txt -> TrackingCookie.Falkag : Ignored.
G:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@findwhat[1].txt -> TrackingCookie.Findwhat : Ignored.
G:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@qksrv[2].txt -> TrackingCookie.Qksrv : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@questionmarket[1].txt -> TrackingCookie.Questionmarket : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@serving-sys[1].txt -> TrackingCookie.Serving-sys : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@tacoda[1].txt -> TrackingCookie.Tacoda : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@trafficmp[2].txt -> TrackingCookie.Trafficmp : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@zedo[1].txt -> TrackingCookie.Zedo : Ignored.
G:\WINDOWS\system32\tjgoeoqy.dll -> Trojan.BHO.g : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016106.exe -> Trojan.VB.atp : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016117.exe -> Trojan.VB.tg : Ignored.
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016118.exe -> Trojan.VB.tg : Ignored.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 7:28:29 PM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
G:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
G:\Program Files\Netropa\Onscreen Display\OSD.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Program Files\AIM\aim.exe
G:\Program Files\uTorrent\utorrent.exe
G:\Program Files\MSI\Core Center\CoreCenter.exe
G:\WINDOWS\system32\wscntfy.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\WINDOWS\system32\wuauclt.exe
G:\WINDOWS\system32\wuauclt.exe
G:\WINDOWS\system32\NOTEPAD.EXE
G:\HiJackThis\RunThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1849F434-68F7-0214-A0AB-6643C460F7BD} - G:\WINDOWS\system32\nqay.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - G:\WINDOWS\system32\hwbamjsw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {674A8234-6885-0224-A0AB-6643C460F7BD} - G:\WINDOWS\system32\nqay.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - G:\WINDOWS\system32\.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CCC7525A-E663-434C-BDD0-5A679050B2DA} - G:\WINDOWS\system32\mljge.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] G:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [amd_dc_opt] "G:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AIM] G:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [µTorrent] "G:\Program Files\uTorrent\utorrent.exe"
O4 - Global Startup: CoreCenter.lnk = G:\Program Files\MSI\Core Center\CoreCenter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160612745000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab
O20 - Winlogon Notify: mljge - G:\WINDOWS\system32\mljge.dll
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - G:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
Riceburner206
2006-10-16, 04:33
This is the Activescan by Panda. It didn't copy and paste very well. It looks a lot better in the notepad..but hopefully it'll help you out...
Incident Status Location
Adware:Adware/CommAd G:\WINDOWS\V2VuZG5hcmEgUGhvaw\command.exe
Adware:Adware/CommAd G:\WINDOWS\V2VuZG5hcmEgUGhvaw\asappsrv.dll
Adware:adware/commad g:\windows\system32\atmtd.dll
Adware:adware/mirar g:\windows\system32\WinNB57.dll
Potentially unwanted tool:application/winfixer2005 g:\windows\downloaded program files\USDR6_0001_D08M0404NetInstaller.exe
Adware:adware/webhancer g:\windows\webhdll.dll_tobedeleted
Spyware:spyware/media-motor Windows Registry
Adware:adware/adrotator Windows Registry
Adware:adware/sidesearch Windows Registry
Spyware:Cookie/YieldManager G:\Documents and Settings\Riceburner206\Cookies\riceburner206@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adrevolver[2].txt
Spyware:Cookie/Adrevolver G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adrevolver[3].txt
Spyware:Cookie/PointRoll G:\Documents and Settings\Riceburner206\Cookies\riceburner206@ads.pointroll[2].txt
Spyware:Cookie/Advertising G:\Documents and Settings\Riceburner206\Cookies\riceburner206@advertising[1].txt
Spyware:Cookie/Apmebf G:\Documents and Settings\Riceburner206\Cookies\riceburner206@apmebf[2].txt
Spyware:Cookie/Falkag G:\Documents and Settings\Riceburner206\Cookies\riceburner206@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT G:\Documents and Settings\Riceburner206\Cookies\riceburner206@atdmt[2].txt
Spyware:Cookie/Atwola G:\Documents and Settings\Riceburner206\Cookies\riceburner206@atwola[1].txt
Spyware:Cookie/Casalemedia G:\Documents and Settings\Riceburner206\Cookies\riceburner206@casalemedia[1].txt
Spyware:Cookie/Doubleclick G:\Documents and Settings\Riceburner206\Cookies\riceburner206@doubleclick[1].txt
Spyware:Cookie/ErrorSafe G:\Documents and Settings\Riceburner206\Cookies\riceburner206@errorsafe[2].txt
Spyware:Cookie/FastClick G:\Documents and Settings\Riceburner206\Cookies\riceburner206@fastclick[1].txt
Spyware:Cookie/Mediaplex G:\Documents and Settings\Riceburner206\Cookies\riceburner206@mediaplex[1].txt
Spyware:Cookie/QkSrv G:\Documents and Settings\Riceburner206\Cookies\riceburner206@qksrv[2].txt
Spyware:Cookie/QuestionMarket G:\Documents and Settings\Riceburner206\Cookies\riceburner206@questionmarket[1].txt
Spyware:Cookie/RealMedia G:\Documents and Settings\Riceburner206\Cookies\riceburner206@realmedia[2].txt
Spyware:Cookie/Reliablestats G:\Documents and Settings\Riceburner206\Cookies\riceburner206@stats1.reliablestats[2].txt
Spyware:Cookie/Traffic Marketplace G:\Documents and Settings\Riceburner206\Cookies\riceburner206@trafficmp[2].txt
Spyware:Cookie/Tribalfusion G:\Documents and Settings\Riceburner206\Cookies\riceburner206@tribalfusion[1].txt
Spyware:Cookie/Winantivirus G:\Documents and Settings\Riceburner206\Cookies\riceburner206@winantivirus[2].txt
Spyware:Cookie/ErrorSafe G:\Documents and Settings\Riceburner206\Cookies\riceburner206@www.errorsafe[1].txt
Spyware:Cookie/Winantivirus G:\Documents and Settings\Riceburner206\Cookies\riceburner206@www.winantivirus[1].txt
Spyware:Cookie/Adserver G:\Documents and Settings\Riceburner206\Cookies\riceburner206@z1.adserver[1].txt
Spyware:Cookie/Zedo G:\Documents and Settings\Riceburner206\Cookies\riceburner206@zedo[2].txt
Adware:Adware/PurityScan G:\Program Files\Common Files\Yazzle1281OinAdmin.exe
Adware:Adware/PurityScan G:\Program Files\Common Files\??sks\netdde.exe
Adware:Adware/SearchAid G:\Program Files\Network Monitor231\netmonasd.exe
Potentially unwanted tool:Application/VSToolbar G:\WINDOWS\system32\gequceic.exe
Possible Virus. G:\WINDOWS\system32\s?stem32\r?ndll.exe
Spyware:Spyware/Virtumonde G:\WINDOWS\system32\tjgoeoqy.dll
Spyware:Spyware/Virtumonde G:\WINDOWS\system32\tuvuuss.dll
Adware:Adware/CommAd G:\WINDOWS\V2VuZG5hcmEgUGhvaw\pZpRt3c1wAH0o31SuT.vbs
Virus:W32/EnerKaz I:\Shawn's Files\Tiny Backup\Documents from Tiny\j2re-1_4_1_01-windows-i586.exe
Virus:W32/EnerKaz I:\Shawn's Files\Tiny Backup\My Download Files\dap53.exe
pskelley
2006-10-16, 13:53
You "Ignored" the junk AVG located?? Make sure you are running it in safe mode, run it again and delete or quarantine everything it locates unless you know it is not bed.
Edit out all references to cookies and G:\System Volume Information\_restore
Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Post the AVG scan results again and a new HJT log, and the results of the Vundofix.
Thanks
Riceburner206
2006-10-17, 04:39
Sorry about the AVG thing the first time. I was confused on what to do and I didn't want to mess anything up so I just ignored everything. Hopefully I did it right this time. Here are the reports that were requested.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:22:25 PM 10/16/2006
+ Scan result:
G:\Documents and Settings\All Users\Application Data\AutoSearch.dll -> Adware.AutoSearch : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016104.exe/AutoSearch.dll -> Adware.AutoSearch : Cleaned with backup (quarantined).
G:\WINDOWS\V2VuZG5hcmEgUGhvaw\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
G:\WINDOWS\V2VuZG5hcmEgUGhvaw\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\Classes\AutoSearch.AutoSearchObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\Classes\AutoSearch.AutoSearchObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\Classes\AutoSearch.AutoSearchObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\Classes\AutoSearch.AutoSearchObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1004336348-2147203641-1003\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016093.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
G:\WINDOWS\motorsix.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
G:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP25\A0018142.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
G:\WINDOWS\system32\nqay.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
G:\WINDOWS\system32\sуstem32\rυndll_exe.vir -> Adware.PurityScan : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016095.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016076.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016101.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
G:\WINDOWS\system32\tuvuuss.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016069.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016070.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016071.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016077.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
G:\WINDOWS\webhdll.dll_tobedeleted -> Adware.WebHancer : Cleaned with backup (quarantined).
G:\Program Files\Common Files\Таsks\netdde.exe -> Downloader.PurityScan.cx : Cleaned with backup (quarantined).
G:\Program Files\Common Files\Yazzle1281OinAdmin.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016108.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016099.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016100.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016072.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016073.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016074.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016094.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016092.exe -> Downloader.VB.wz : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016066.exe -> Hijacker.Small : Cleaned with backup (quarantined).
G:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Ignored.
G:\Program Files\Network Monitor231\netmonasd.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
G:\Documents and Settings\LocalService\Cookies\system@adservices6.enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
G:\Documents and Settings\LocalService\Cookies\system@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@e-2dj6wfkiuncpigo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@e-2dj6wfl4emajslo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@e-2dj6wfl4gpdjwhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@e-2dj6whl4kjdpogp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@e-2dj6whlocgdjcep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@e-2dj6wjk4knczefo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@e-2dj6wjkyegajokq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
G:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
G:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@ehg-newegg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@overture[1].txt -> TrackingCookie.Overture : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
G:\Documents and Settings\Riceburner206\Cookies\riceburner206@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
G:\WINDOWS\system32\tjgoeoqy.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016106.exe -> Trojan.VB.atp : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016117.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{D171C10F-240E-4367-BA73-95045B7F6E04}\RP23\A0016118.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
::Report end
G:\WINDOWS\system32\mljge.dll
G:\WINDOWS\system32\egjlm.ini
G:\WINDOWS\system32\egjlm.bak2
VundoFix V6.2.4
Checking Java version...
Sun Java not detected
Scan started at 7:30:54 PM 10/16/2006
Listing files found while scanning....
G:\WINDOWS\system32\hwbamjsw.dll
G:\WINDOWS\system32\gequceic.exe
G:\WINDOWS\system32\mljge.dll
G:\WINDOWS\system32\egjlm.ini
G:\WINDOWS\system32\egjlm.bak2
Beginning removal...
Attempting to delete G:\WINDOWS\system32\hwbamjsw.dll
G:\WINDOWS\system32\hwbamjsw.dll Has been deleted!
Attempting to delete G:\WINDOWS\system32\gequceic.exe
G:\WINDOWS\system32\gequceic.exe Has been deleted!
Attempting to delete G:\WINDOWS\system32\mljge.dll
G:\WINDOWS\system32\mljge.dll Could not be deleted.
Attempting to delete G:\WINDOWS\system32\egjlm.ini
G:\WINDOWS\system32\egjlm.ini Has been deleted!
Attempting to delete G:\WINDOWS\system32\egjlm.bak2
G:\WINDOWS\system32\egjlm.bak2 Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete G:\WINDOWS\system32\mljge.dll
G:\WINDOWS\system32\mljge.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 7:37:56 PM, on 10/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
G:\Program Files\AIM\aim.exe
G:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
G:\Program Files\Netropa\Onscreen Display\OSD.exe
G:\Program Files\MSI\Core Center\CoreCenter.exe
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\WINDOWS\system32\wuauclt.exe
G:\HiJackThis\RunThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1849F434-68F7-0214-A0AB-6643C460F7BD} - G:\WINDOWS\system32\nqay.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - G:\WINDOWS\system32\hwbamjsw.dll (file missing)
O2 - BHO: (no name) - {321C18A5-1348-4FFF-8886-69C3BA449339} - G:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {674A8234-6885-0224-A0AB-6643C460F7BD} - G:\WINDOWS\system32\nqay.dll (file missing)
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - G:\WINDOWS\system32\.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] G:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [amd_dc_opt] "G:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AIM] G:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [µTorrent] "G:\Program Files\uTorrent\utorrent.exe"
O4 - Global Startup: CoreCenter.lnk = G:\Program Files\MSI\Core Center\CoreCenter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160612745000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - G:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
pskelley
2006-10-17, 14:24
Good job, things are looking much better. Let's do some cleanup like this.
First I want to clean System Restore files at the end and you have some real junk backed up there. They can not harm you unless you use SR so do not.
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {1849F434-68F7-0214-A0AB-6643C460F7BD} - G:\WINDOWS\system32\nqay.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - G:\WINDOWS\system32\hwbamjsw.dll (file missing)
O2 - BHO: (no name) - {321C18A5-1348-4FFF-8886-69C3BA449339} - G:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: (no name) - {674A8234-6885-0224-A0AB-6643C460F7BD} - G:\WINDOWS\system32\nqay.dll (file missing)
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - G:\WINDOWS\system32\.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a last HJT log, let me know how the computer is running now.
Thanks
Riceburner206
2006-10-17, 18:47
HJT Report. =] Thanks. It seems like my computer WAYYY better already!! Next paycheck I'm donating some cashes!! :)
Logfile of HijackThis v1.99.1
Scan saved at 9:45:38 AM, on 10/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\AIM\aim.exe
G:\Program Files\uTorrent\utorrent.exe
G:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
G:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
G:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
G:\Program Files\Netropa\Onscreen Display\OSD.exe
G:\Program Files\MSI\Core Center\CoreCenter.exe
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\system32\wuauclt.exe
G:\WINDOWS\system32\wuauclt.exe
G:\HiJackThis\RunThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] G:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [amd_dc_opt] "G:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [AIM] G:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [µTorrent] "G:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: CoreCenter.lnk = G:\Program Files\MSI\Core Center\CoreCenter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160612745000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - G:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
pskelley
2006-10-17, 19:13
Good to hear you are running better:bigthumb: System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Safe surfing...tashi:) will close your topic in a few days.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Cheers. :)