PDA

View Full Version : pops.mmohsix, adpoppers(I think?) and other extreme widescreen explorer windows



kap384
2006-10-22, 08:24
Sorry, don't have an online virus scan to post, just the HiJackThis log. I'm running Firefox, and the only online anti-virus that was compatible was Trend Micro. It wouldn't work for me.

Logfile of HijackThis v1.99.1
Scan saved at 11:16:40 PM, on 21/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
D:\PROGRA~1\avgamsvr.exe
D:\PROGRA~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\PROGRA~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\AdwareAlert\AdwareAlert.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mmputt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
D:\Program Files\iPod\bin\iPodService.exe
C:\ANTISPYWARE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.telus.net/success
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [adwarealert] D:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: SATARaid.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nesunee.mht!http://adsextend.net/zscript/yea.chm::/recife.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/motorsix.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126379352609
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - ms-its:mhtml:file://c:\nesunew.mht!http://adsextend.net/zscript/winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


Thanks!

Shaba
2006-10-22, 12:01
Hi kap384

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.gif

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

kap384
2006-10-22, 20:10
As requested:

ABBYY FineReader 5.0 Sprint
Adobe Acrobat 5.0
Adobe Photoshop 7.0
Adobe Photoshop CS2
Ahead InCD
Ahead NeroMediaPlayer
Apple Software Update
ASUS Probe V2.20.08
AsusUpdate
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.2.0.0
ATI HydraVision
ATI Multimedia Center 8.1.0.0
AVG Free Edition
BroadJump Client Foundation
Cakewalk Pyro 2003
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Citrix Web Client
DAO
dukes_screensaver Screen Saver
FaxTools
Ford GT Screensaver
FreshDiagnose
Google Earth
HijackThis 1.99.1
InterVideo WinDVD 4
InterVideo WinDVD Creator
iPod for Windows 2005-06-26
iTunes
J2SE Runtime Environment 5.0 Update 6
Leisure Suit Larry - Magna Cum Laude
Lexmark X5100 Series
LiveUpdate 1.7 (Symantec Corporation)
Logitech Gaming Software
Logitech iTouch Software
Logitech MouseWare 9.75
Macromedia Flash Player 8
Macromedia Shockwave Player
Marvell Miniport Driver
McAfee QuickClean
media-motor.net
Microsoft Combat Flight Simulator 2
Microsoft Office XP Professional with FrontPage
Microsoft Rise Of Nations
Mozilla Firefox (1.5)
Mozilla Thunderbird (1.5)
MSXML4 Parser
Nero - Burning Rom
NVIDIA nForce Drivers
QuickTax 2003 Standard
QuickTax 2004
QuickTax 2005
QuickTime
RegScrubXP 3.25
SATARaid
SereneScreen Marine Aquarium 2
Spybot - Search & Destroy 1.4
Update for Windows XP (KB898461)
Voice Editor
Wallpaper Changer for Windows XP
webHancer Survey Companion
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WingMan Software
WinRAR archiver
WinZip

Shaba
2006-10-22, 20:17
Hi

Uninstall these:

media-motor.net
webHancer Survey Companion

Open HijackThis, click do a system scan only and checkmark these:

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nesunee.mht!http://adsextend.net/zscript/yea.chm::/recife.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/motorsix.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - ms-its:mhtml:file://c:\nesunew.mht!http://adsextend.net/zscript/winfix....reeInstall.cab

Close all windows including browser and press fix checked.

Reboot

Delete if present:

C:\Program Files\webHancer\
C:\WINDOWS\mmputt.exe

Send a fresh HijackThis log

kap384
2006-10-22, 20:55
Logfile of HijackThis v1.99.1
Scan saved at 11:54:08 AM, on 22/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
D:\PROGRA~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\AdwareAlert\AdwareAlert.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\WINDOWS\System32\Ati2evxx.exe
D:\PROGRA~1\avgamsvr.exe
D:\PROGRA~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\ANTISPYWARE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.telus.net/success
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [adwarealert] D:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: SATARaid.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126379352609
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Shaba
2006-10-22, 20:57
Looking good :)

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackThis log.

kap384
2006-10-22, 21:03
I can't get past this screen. I choose 'Accept' at the bottom and nothing happens. Is it the fact that I'm running Firefox instead of IE?

kap384

'Warning: if you have installed Kaspersky Online Scanner BETA, please manually uninstall it using "Add/Remove Programs" before installing this version! Otherwise this version will not function correctly.

Benefits:

# Kaspersky Anti-Virus exceptional detection rates and thorough scanning
# Hourly AV database updates available each time the Online Scanner is launched
# Heuristic analysis to detect unknown viruses
# Simple installation (just click on a link)


Requirements and limitations:

# When using this service for the first time, you have to run with Administrator privileges in order to install the product. Also, you will need to download and install files about 400 KB in size (about 1 minute on a 57.6 kbps connection) followed by 7 MB of virus definitions.
# However, if you use the Online Scanner again, you will only need to download the files that have been updated since your last scan.
# The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner work only with MS Internet Explorer 5.0 or higher.
# We cannot guarantee that the Online Scanner will function correctly if you are using any other browser or any Internet Explorer extensions (such as AvantBrowser). If you use a different browser, you can use the Kaspersky File Scanner to scan individual files.
# The free Kaspersky Online Scanner does not scan RAM, boot sectors and MBRs, so it cannot detect malicious code located in these areas.
# Please note: The free Kaspersky Online Scanner does not protect against malicious code, and cannot prevent future infections. It only detects malware that has already penetrated your computer. We strongly recommend that you install a full antivirus solution to protect your system.


Privacy statement:

The Kaspersky Online Scanner will collect information about the malicious programs found on your computer during the scanning process. The information will be sent to the Kaspersky Virus Lab for statistical purposes. No personal information about you or specific information about your system will be collected or transmitted to Kaspersky Lab.'

Shaba
2006-10-23, 09:47
Hi

Yes, you must use Internet Explorer for Kaspersky scan.

kap384
2006-10-24, 05:31
HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 8:31:55 PM, on 23/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
D:\PROGRA~1\avgcc.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\AdwareAlert\AdwareAlert.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\WINDOWS\System32\Ati2evxx.exe
D:\PROGRA~1\avgamsvr.exe
D:\PROGRA~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\FIREFOX\FIREFOX.EXE
C:\ANTISPYWARE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.telus.net/success
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [adwarealert] D:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: SATARaid.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126379352609
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 23, 2006 8:30:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/10/2006
Kaspersky Anti-Virus database records: 234196
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 49220
Number of viruses found: 15
Number of infected objects: 46 / 0
Number of suspicious objects: 3
Duration of the scan process: 00:36:55

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\WinNB58.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\aff_0006.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\WINDOWS\aff_0006.exe CAB: infected - 1 skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\motorsix.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\whCC-GIANT.exe/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\WINDOWS\whCC-GIANT.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\WINDOWS\whCC-GIANT.exe/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\WINDOWS\whCC-GIANT.exe/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\WINDOWS\whCC-GIANT.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\WINDOWS\whCC-GIANT.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\WINDOWS\whCC-GIANT.exe RarSFX: infected - 6 skipped
C:\WINDOWS\MirarSetup_876075.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Temp\__unin__.exe Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\Documents and Settings\Kris\Local Settings\Temp\PerfectNavUninstall.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Documents and Settings\Kris\Local Settings\Temp\PerfectNavUninstall.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Kris\Local Settings\Temp\ADMCache\adm20.tmp/asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Documents and Settings\Kris\Local Settings\Temp\ADMCache\adm20.tmp/asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\Documents and Settings\Kris\Local Settings\Temp\ADMCache\adm20.tmp CAB: infected - 2 skipped
C:\Documents and Settings\Kris\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Kris\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Kris\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Kris\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Kris\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0008 Infected: Trojan-Downloader.Win32.Small.alx skipped
C:\Documents and Settings\Kris\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0009/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Documents and Settings\Kris\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0009 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Documents and Settings\Kris\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0005 Infected: not-a-virus:AdWare.Win32.Perfnav.a skipped
C:\Documents and Settings\Kris\Local Settings\Temp\UpdatedUpdaterInstall.exe NSIS: infected - 8 skipped
C:\Documents and Settings\Kris\Local Settings\Temp\mmxsnet.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.q skipped
C:\Documents and Settings\Kris\Local Settings\Temp\mitA.tmp.cab/NNBar_VCSetup_876075.exe Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\Documents and Settings\Kris\Local Settings\Temp\mitA.tmp.cab CAB: infected - 1 skipped
C:\Documents and Settings\Kris\Local Settings\Temp\mitA.tmp/NNBar_VCSetup_876075.exe Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\Documents and Settings\Kris\Local Settings\Temp\mitA.tmp CAB: infected - 1 skipped
C:\Documents and Settings\Kris\Local Settings\Temp\NNBar_VCSetup_876075.exe Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\Documents and Settings\Kris\Local Settings\Temp\~DFA243.tmp Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\KRHFIM3L\motorsix[1].cab/motorsix.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\KRHFIM3L\motorsix[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\41U30T6N\optimize[1].exe Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\9C4ZTXSD\aff_0006[1].exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\9C4ZTXSD\aff_0006[1].exe CAB: infected - 1 skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\SLANK1YF\unstall[1].exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\G16ZWDIV\whCC-GIANT[2].exe/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\G16ZWDIV\whCC-GIANT[2].exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\G16ZWDIV\whCC-GIANT[2].exe/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\G16ZWDIV\whCC-GIANT[2].exe/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\G16ZWDIV\whCC-GIANT[2].exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\G16ZWDIV\whCC-GIANT[2].exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\G16ZWDIV\whCC-GIANT[2].exe RarSFX: infected - 6 skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Kris\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\cert8.db Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\key3.db Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\history.dat Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\parent.lock Object is locked skipped
C:\Documents and Settings\Kris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kris\ntuser.dat Object is locked skipped
C:\errlgr.txt Object is locked skipped
C:\itouch_crash_info.txt Object is locked skipped
C:\ANTISPYWARE\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
C:\ANTISPYWARE\backups\backup-20061022-114935-557 Suspicious: Exploit.HTML.Mht skipped
C:\ANTISPYWARE\backups\backup-20061022-114935-737 Suspicious: Exploit.HTML.Mht skipped
D:\Program Files\AdwareAlert\Log\log_2006_10_23_18_12_48.log Object is locked skipped

Scan process completed.

Shaba
2006-10-24, 17:44
Hi

Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\WinNB58.dll
C:\WINDOWS\aff_0006.exe
C:\WINDOWS\whCC-GIANT.exe
C:\WINDOWS\MirarSetup_876075.exe
C:\Documents and Settings\All Users\Application Data\AutoSearch.dll
C:\Documents and Settings\Kris\Local Settings\Temp\__unin__.exe
C:\Documents and Settings\Kris\Local Settings\Temp\PerfectNavUninstall.exe
C:\Documents and Settings\Kris\Local Settings\Temp\ADMCache\adm20.tmp
C:\Documents and Settings\Kris\Local Settings\Temp\UpdatedUpdaterInstall.exe
C:\Documents and Settings\Kris\Local Settings\Temp\mmxsnet.exe
C:\Documents and Settings\Kris\Local Settings\Temp\mitA.tmp.cab
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\KRHFIM3L\motorsix[1].cab
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\41U30T6N\optimize[1].exe
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\9C4ZTXSD\aff_0006[1].exe
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\SLANK1YF\unstall[1].exe
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\G16ZWDIV\whCC-GIANT[2].exe

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Empty this folder -> C:\!KillBox

Empty Recycle Bin

Re-scan with kaspersky

Send:

- a fresh HijackThis log
- kaspersky report

kap384
2006-10-26, 06:10
Logfile of HijackThis v1.99.1
Scan saved at 9:10:00 PM, on 25/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
D:\PROGRA~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\AdwareAlert\AdwareAlert.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\WINDOWS\System32\Ati2evxx.exe
D:\PROGRA~1\avgamsvr.exe
D:\PROGRA~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\FIREFOX\FIREFOX.EXE
C:\ANTISPYWARE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.telus.net/success
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [adwarealert] D:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: SATARaid.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126379352609
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 25, 2006 9:07:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/10/2006
Kaspersky Anti-Virus database records: 235001
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 48796
Number of viruses found: 14
Number of infected objects: 51 / 0
Number of suspicious objects: 3
Duration of the scan process: 00:38:34

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\motorsix.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Temp\~DF9FDF.tmp Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Temp\mitA.tmp/NNBar_VCSetup_876075.exe Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\Documents and Settings\Kris\Local Settings\Temp\mitA.tmp CAB: infected - 1 skipped
C:\Documents and Settings\Kris\Local Settings\Temp\NNBar_VCSetup_876075.exe Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\Documents and Settings\Kris\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\History\History.IE5\MSHist012006102520061026\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Kris\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\cert8.db Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\key3.db Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\history.dat Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\9drz4m46.default\parent.lock Object is locked skipped
C:\Documents and Settings\Kris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kris\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Kris\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\change.log Object is locked skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030754.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030755.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030755.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030756.exe/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030756.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030756.exe/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030756.exe/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030756.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030756.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030756.exe RarSFX: infected - 6 skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030757.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030758.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030770.exe/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030770.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030770.exe/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030770.exe/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030770.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030770.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030770.exe RarSFX: infected - 6 skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030771.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030772.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030772.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030773.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.q skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030774.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030774.exe/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030774.exe/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030774.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030774.exe/data0008 Infected: Trojan-Downloader.Win32.Small.alx skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030774.exe/data0009/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030774.exe/data0009 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030774.exe/data0005 Infected: not-a-virus:AdWare.Win32.Perfnav.a skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030774.exe NSIS: infected - 8 skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030775.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030775.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030776.exe Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030777.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030778.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030779.exe/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030779.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030779.exe/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030779.exe/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030779.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030779.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030779.exe RarSFX: infected - 6 skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030780.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030780.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\A0030781.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\errlgr.txt Object is locked skipped
C:\itouch_crash_info.txt Object is locked skipped
C:\ANTISPYWARE\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
C:\ANTISPYWARE\backups\backup-20061022-114935-557 Suspicious: Exploit.HTML.Mht skipped
C:\ANTISPYWARE\backups\backup-20061022-114935-737 Suspicious: Exploit.HTML.Mht skipped
D:\Program Files\AdwareAlert\Log\log_2006_10_25_20_16_32.log Object is locked skipped
D:\System Volume Information\_restore{B6952127-BF68-4366-AC54-F17F3D596047}\RP413\change.log Object is locked skipped

Scan process completed.

Shaba
2006-10-26, 16:01
Hi

Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\motorsix.ocx
C:\Documents and Settings\Kris\Local Settings\Temp\mitA.tmp
C:\Documents and Settings\Kris\Local Settings\Temp\NNBar_VCSetup_876075.exe

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Empty this folder -> C:\!KillBox

Empty Recycle Bin

Re-scan with kaspersky

Send:

- a fresh HijackThis log
- kaspersky report

kap384
2006-10-27, 04:44
Logfile of HijackThis v1.99.1
Scan saved at 7:44:15 PM, on 26/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
D:\PROGRA~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\AdwareAlert\AdwareAlert.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\WINDOWS\System32\Ati2evxx.exe
D:\PROGRA~1\avgamsvr.exe
D:\PROGRA~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\ANTISPYWARE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.telus.net/success
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [adwarealert] D:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: SATARaid.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126379352609
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 26, 2006 7:43:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/10/2006
Kaspersky Anti-Virus database records: 235323
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 48888
Number of viruses found: 3
Number of infected objects: 4 / 0
Number of suspicious objects: 3
Duration of the scan process: 00:34:08

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Temp\~DF9F69.tmp Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Temp\~DFA269.tmp Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\History\History.IE5\MSHist012006102520061026\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\History\History.IE5\MSHist012006102620061027\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kris\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kris\ntuser.dat Object is locked skipped
C:\errlgr.txt Object is locked skipped
C:\itouch_crash_info.txt Object is locked skipped
C:\ANTISPYWARE\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
C:\ANTISPYWARE\backups\backup-20061022-114935-557 Suspicious: Exploit.HTML.Mht skipped
C:\ANTISPYWARE\backups\backup-20061022-114935-737 Suspicious: Exploit.HTML.Mht skipped
C:\!KillBox\NNBar_VCSetup_876075.exe Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\!KillBox\mitA.tmp/NNBar_VCSetup_876075.exe Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\!KillBox\mitA.tmp CAB: infected - 1 skipped
C:\!KillBox\motorsix.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Program Files\AdwareAlert\Log\log_2006_10_26_18_35_01.log Object is locked skipped

Scan process completed.

Shaba
2006-10-27, 17:58
Hi

Delete this folder -> C:\!KillBox

Otherwise looking good :)

How are things running now?

tashi
2006-10-30, 18:55
How is it going kap384 :)

Shaba
2006-11-05, 19:51
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.