View Full Version : Help----CoolWWWSearch.GonnaSearch
BackStabbingSinner
2006-12-25, 08:59
Please bear with me...this will take some explaining.
Im going to make a long story short...
Somehow I managed to get "CoolWWWSearch.GonnaSearch" into my rig. I dont know how.
When I run SpyBot, it detects CoolWWWSearch.GonnaSearch. "GREAT! I can remove it" says me. However, spybot fixes several registry entries, but not all of them.
Now, CoolWWWSearch.GonnaSearch is conveniently located within a folder in my Program Files folder called "BHO Plugin". Inside this folder theres a 'plugin.dll' that apprently has the malicious software. At least that what Spybot detects. Spybot tells me that CoolWWWSearch.GonnaSearch is located in this folder but it can't erase it. Not even I can erase it.
Hijackthis says nothing of value. Ad-aware doesnt detect it. Norton doesnt detect it. Kapersky detects it, but it cant erase it either.
So, at this point I go into Safe Mode, and actually erased the folder, but 2 seconds later it misteriously installs itself again. Thats the point in which I screamed.
I renamed the folder to 'crap', but guess what? Another 'BHO Plugin' folder misteriously appeared.
Ive run anti-viruses and spybot about 20 times in the past 3 days with no avail. I dont know what to do. Its not my style to cry, but I admit I've done it twice already.
Any suggestions, ideas?
I really dont want to format.
-Sin
Hi BackStabbingSinner and welcome to Safer Networking Forums :)
Please post a HijackThis log to here: Click here (http://downloads.malwareremoval.com/HijackThis.exe) to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
BackStabbingSinner
2006-12-25, 09:37
Hello, thanx for the welcome and for replying!!
heres the Hijackthis log... I've looked around in there, but couldnt pinpoint anything...maybe you see something I don't.
Logfile of HijackThis v1.99.1
Scan saved at 2:35:31 AM, on 12/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\tccpip.exe
D:\WINDOWS\system32\RunDLL32.exe
D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
D:\WINDOWS\CTHELPER.EXE
D:\Program Files\Logitech\G-series Software\LGDCore.exe
D:\Program Files\Logitech\G-series Software\LCDMon.exe
D:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
D:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
D:\Program Files\UltraMon\UltraMonTaskbar.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Xfire\Xfire.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
C:\Program Files\GrabIt\GrabIt.exe
D:\Program Files\Winamp\winamp.exe
D:\Documents and Settings\Paul2\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "D:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UltraMon] "D:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ioloDelayModule] D:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "D:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\Program Files\Zenturi\ProgramChecker\sassvc.exe
Hi, something may be hiding...
Create a new folder for HijackThis and move HijackThis.exe into it.
Rename HijackThis.exe to Scanner.exe
Post a fresh HijacKThis (scanner.exe) log to here.
:bigthumb:
BackStabbingSinner
2006-12-25, 09:54
Okay...I created a new folder called Scanner...I placed Hijackthis into it, and renamed HijackThis.exe to Scanner.exe.... ran the program again. Here is the log file.
Again, I dont see anything. Which is totally driving me nuts. Let me know if you spot something. I know for a fact that CoolWWWSearch.gonnaSearch is in my computer because Im staring right at SpyBot that found it, AND Im getting popups like crazy.
----
Logfile of HijackThis v1.99.1
Scan saved at 2:52:03 AM, on 12/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\tccpip.exe
D:\WINDOWS\system32\RunDLL32.exe
D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
D:\WINDOWS\CTHELPER.EXE
D:\Program Files\Logitech\G-series Software\LGDCore.exe
D:\Program Files\Logitech\G-series Software\LCDMon.exe
D:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
D:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
D:\Program Files\UltraMon\UltraMonTaskbar.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Xfire\Xfire.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
C:\Program Files\GrabIt\GrabIt.exe
D:\Program Files\Winamp\winamp.exe
D:\Documents and Settings\Paul2\Desktop\Scanner\Scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - D:\WINDOWS\tct101.dll (file
missing)
O2 - BHO: (no name) - {00FB702C-8B28-4A57-A677-97E703EF34EE} - D:\Program Files\ComPlus
Applications\meboli.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {328A085C-4A01-48CE-85C6-4D4D317534BE} - D:\WINDOWS\system32\ddabb.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - D:\WINDOWS\system32\aajhntoc.dll
(file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program
Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - D:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} -
D:\PROGRA~1\COMMON~1\{346C5~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe"
RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "D:\Program Files\Creative\Shared Files\Module
Loader\DLLML.exe" -1 AudioDrvEmulator "D:\Program Files\Creative\Shared Files\Module Loader\Audio
Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\G-series Software\LGDCore.exe"
/SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UltraMon] "D:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus
Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ioloDelayModule] D:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "D:\Program Files\iolo\System Mechanic Professional
6\SMSystemAnalyzer.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma
Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program
Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program
Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -
D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddabb - D:\WINDOWS\system32\ddabb.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems
Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - D:\Program Files\Common
Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - D:\Program Files\Common
Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - D:\Program
Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program
Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program
Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - D:\Program Files\Kaspersky
Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\Program
Files\Zenturi\ProgramChecker\sassvc.exe
Ok good, now the infections are visible :)
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
BackStabbingSinner
2006-12-25, 10:08
Okay...thats one step forward. But Im sure its far from over yet.
I should probably tell you that I've removed Vundo before. Somehow all these adwares and sh*t keep downloading themselves and installing themselves somehow.
---
VundoFix V6.2.13
Checking Java version...
Java version is 1.5.0.9
Scan started at 3:00:51 AM 12/25/2006
Listing files found while scanning....
D:\WINDOWS\system32\ddabb.dll
D:\WINDOWS\system32\bbadd.ini
D:\WINDOWS\system32\bbadd.bak1
D:\WINDOWS\system32\bbadd.bak2
D:\WINDOWS\system32\bbadd.ini2
Beginning removal...
Attempting to delete D:\WINDOWS\system32\ddabb.dll
D:\WINDOWS\system32\ddabb.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\bbadd.ini
D:\WINDOWS\system32\bbadd.ini Has been deleted!
Attempting to delete D:\WINDOWS\system32\bbadd.bak1
D:\WINDOWS\system32\bbadd.bak1 Has been deleted!
Attempting to delete D:\WINDOWS\system32\bbadd.bak2
D:\WINDOWS\system32\bbadd.bak2 Has been deleted!
Attempting to delete D:\WINDOWS\system32\bbadd.ini2
D:\WINDOWS\system32\bbadd.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
==============
Logfile of HijackThis v1.99.1
Scan saved at 3:07:09 AM, on 12/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\tccpip.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\RunDLL32.exe
D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
D:\WINDOWS\CTHELPER.EXE
D:\Program Files\Logitech\G-series Software\LGDCore.exe
D:\Program Files\Logitech\G-series Software\LCDMon.exe
D:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
D:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\UltraMon\UltraMonTaskbar.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Paul2\Desktop\Scanner\Scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - D:\WINDOWS\tct101.dll (file missing)
O2 - BHO: (no name) - {00FB702C-8B28-4A57-A677-97E703EF34EE} - D:\Program Files\ComPlus Applications\meboli.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {328A085C-4A01-48CE-85C6-4D4D317534BE} - D:\WINDOWS\system32\ddabb.dll (file missing)
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - D:\WINDOWS\system32\aajhntoc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - D:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - D:\PROGRA~1\COMMON~1\{346C5~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "D:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UltraMon] "D:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ioloDelayModule] D:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "D:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\Program Files\Zenturi\ProgramChecker\sassvc.exe
BackStabbingSinner
2006-12-25, 11:02
Im still stumped. That 'BHO Plugin' folder that contains CoolWWWSearch.GonnaSearch is still there, and I cant erase it or anything.
Don't worry, we'll get rig of it :)
You're not clean yet...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
BackStabbingSinner
2006-12-25, 18:53
That combofix is interesting little tool...
Heres the log..
===
Paul2 - 06-12-25 11:49:14.50 Service Pack 2
ComboFix 06.11.27 - Running from: "D:\Documents and Settings\Paul2\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-11-25 to 2006-12-25 ))))))))))))))))))))))))))))))))))
2006-12-25 03:00 <DIR> d-------- D:\VundoFix Backups
2006-12-25 01:15 <DIR> d--h----- D:\Program Files\BHO Plugin
2006-12-25 00:24 26,000 --a------ D:\WINDOWS\system32\E3TL.DLL
2006-12-25 00:23 <DIR> d-------- D:\Program Files\Zenturi
2006-12-25 00:23 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Zenturi
2006-12-24 20:52 88,340 --a------ D:\WINDOWS\system32\hethqdly.exe
2006-12-24 19:44 <DIR> d-------- D:\WINDOWS\system32\ActiveScan
2006-12-24 19:04 <DIR> d--hs---- D:\Config.Msi
2006-12-24 18:11 <DIR> d--h-c--- D:\WINDOWS\ie7
2006-12-24 17:33 17,920 --a------ D:\WINDOWS\system32\tccpip.exe
2006-12-23 17:49 <DIR> d--h----- D:\WINDOWS\PIF
2006-12-23 17:28 48,776 --a------ D:\WINDOWS\system32\S32EVNT1.DLL
2006-12-23 17:28 115,000 --a------ D:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-12-23 17:28 <DIR> d-------- D:\Program Files\Symantec
2006-12-23 17:28 <DIR> d-------- D:\Program Files\Norton AntiVirus
2006-12-23 17:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Symantec
2006-12-23 17:27 <DIR> d-------- D:\Program Files\Common Files\Symantec Shared
2006-12-22 01:14 4,388 --a------ D:\WINDOWS\smproflt.dll
2006-12-21 23:08 <DIR> d-------- D:\Program Files\Lavasoft
2006-12-21 22:50 <DIR> d-------- D:\Program Files\Spybot - Search & Destroy
2006-12-21 22:50 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-21 22:41 <DIR> d-------- D:\Documents and Settings\Paul2\Application Data\Lavasoft
2006-12-21 21:13 <DIR> d-------- D:\WINDOWS\pss
2006-12-21 20:33 <DIR> d--hs---- D:\INCINERATE
2006-12-21 20:08 277,044 --ahs---- D:\WINDOWS\system32\vtutq.dll
2006-12-21 20:08 277,044 --ahs---- D:\WINDOWS\system32\pmnlk.dll
2006-12-21 20:08 277,044 ---hs---- D:\WINDOWS\system32\sstqr.dll
2006-12-21 19:33 167,936 --a------ D:\WINDOWS\win32099-19654522.exe
2006-12-21 19:21 278,528 --a------ D:\WINDOWS\system32\ydaspzjcw.exe
2006-12-21 19:21 22,541 ---hs---- D:\WINDOWS\system32\jkkhghi.dll
2006-12-21 19:21 167,936 --a------ D:\WINDOWS\sys01196545229-2006.exe
2006-12-21 19:20 8,464 --a------ D:\WINDOWS\system32\sporder.dll
2006-12-21 19:20 107,610 --a------ D:\WINDOWS\AtxPID29.exe
2006-12-21 19:20 1,329 --a------ D:\WINDOWS\system32\bvd29c6c.sys
2006-12-21 19:00 <DIR> d-------- D:\WINDOWS\vbSkinner
2006-12-21 19:00 <DIR> d-------- D:\Program Files\PFConfig
2006-12-20 20:08 230,982 --a------ D:\WINDOWS\War_Rock_Toolbar_Uninstaller_3265.exe
2006-12-20 20:08 <DIR> d-------- D:\Program Files\WarRock
2006-12-20 20:08 <DIR> d-------- D:\Documents and Settings\Paul2\Application Data\InstallShield
2006-12-15 22:13 <DIR> d-------- D:\Program Files\Activision
2006-12-15 22:11 <DIR> d--hs---- D:\WINDOWS\ftpcache
2006-12-15 01:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\AOL OCP
2006-12-15 00:54 <DIR> d-------- D:\Program Files\AIM6
2006-12-14 21:52 <DIR> d-------- D:\Program Files\Guitar Pro 5
2006-12-14 20:22 <DIR> d-------- D:\Program Files\QuickTime
2006-12-14 20:22 <DIR> d-------- D:\Program Files\iTunes
2006-12-14 20:22 <DIR> d-------- D:\Program Files\iPod
2006-12-14 20:22 <DIR> d-------- D:\Program Files\Apple Software Update
2006-12-13 23:54 61,440 --a------ D:\WINDOWS\system32\NI_DFD_1_4.dll
2006-12-13 23:54 393,216 --a------ D:\WINDOWS\system32\NI_IRC_1_1.dll
2006-12-13 23:54 393,216 --a------ D:\WINDOWS\system32\NI_IRC_1_0_3.dll
2006-12-13 23:54 <DIR> d-------- D:\Program Files\Finale GPO 2.0
2006-12-13 23:53 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\MakeMusic
2006-12-13 23:53 <DIR> d-------- D:\Psfonts
2006-12-13 23:53 <DIR> d-------- D:\Program Files\SmartMusic 9
2006-12-13 23:53 <DIR> d-------- D:\My Documents
2006-12-13 23:52 90,112 --a------ D:\WINDOWS\unvise32.exe
2006-12-13 23:52 <DIR> d-------- D:\Program Files\Finale 2007
2006-12-13 01:54 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Trymedia
2006-12-11 00:56 <DIR> d-------- D:\Documents and Settings\Paul2\Contacts
2006-12-11 00:54 <DIR> d----c--- D:\WINDOWS\system32\DRVSTORE
2006-12-11 00:54 <DIR> d-------- D:\Program Files\MSN Messenger
2006-12-07 21:16 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
2006-12-07 21:01 <DIR> d-------- D:\Program Files\Atari
2006-12-07 20:53 <DIR> d-------- D:\Test Drive
2006-12-06 22:03 5,632 --a------ D:\WINDOWS\system32\drivers\Entech64.sys
2006-12-06 22:03 3,972 --a------ D:\WINDOWS\system32\drivers\PciBus.sys
2006-12-06 22:03 21,664 --a------ D:\WINDOWS\system32\drivers\Entech.sys
2006-12-06 22:03 <DIR> d-------- D:\WINDOWS\system32\Futuremark
2006-12-06 22:03 <DIR> d-------- D:\Program Files\Futuremark
2006-12-06 22:00 <DIR> d-------- D:\3dmark
2006-12-05 13:51 <DIR> d-------- D:\Program Files\DVD Shrink
2006-12-05 13:51 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\DVD Shrink
2006-12-05 12:01 <DIR> d-------- D:\VOBBLANKEr
2006-12-05 01:13 <DIR> d-------- D:\Documents and Settings\Paul2\Application Data\Nero
2006-12-05 01:02 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Ahead
2006-12-05 00:33 <DIR> d-------- D:\Program Files\Ahead
2006-12-05 00:29 <DIR> d-------- D:\Documents and Settings\Paul2\Application Data\Ahead
2006-12-05 00:28 <DIR> d-------- D:\Program Files\Nero
2006-12-05 00:28 <DIR> d-------- D:\Program Files\Common Files\Ahead
2006-12-05 00:27 <DIR> d-------- D:\Nero 7 Ultra
2006-12-01 02:49 221,184 --a------ D:\WINDOWS\system32\wmpns.dll
2006-12-01 02:49 <DIR> d-------- D:\Program Files\Windows Media Connect 2
2006-12-01 02:48 <DIR> d-------- D:\WINDOWS\system32\drivers\UMDF
2006-12-01 02:46 765,952 --a------ D:\WINDOWS\system32\xvidcore.dll
2006-12-01 02:46 180,224 --a------ D:\WINDOWS\system32\xvidvfw.dll
2006-12-01 02:46 <DIR> d-------- D:\Program Files\Xvid
2006-11-30 07:59 26,496 --a------ D:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-11-26 01:35 <DIR> d-------- D:\Game ISOs
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-25 11:48 -------- d-------- D:\Documents and Settings\Paul2\Application Data\Xfire
2006-12-25 00:38 -------- d---s---- D:\Documents and Settings\Paul2\Application Data\Microsoft
2006-12-24 18:15 -------- d-------- D:\Program Files\Internet Explorer
2006-12-23 17:29 -------- d-------- D:\Program Files\Common Files
2006-12-23 16:38 -------- d--h----- D:\Program Files\InstallShield Installation Information
2006-12-21 19:15 -------- d-------- D:\Program Files\Steam
2006-12-20 17:48 1212416 --a------ D:\WINDOWS\system32\Incinerator.dll
2006-12-19 23:35 -------- d-------- D:\Documents and Settings\Paul2\Application Data\Adobe
2006-12-18 21:35 -------- d-------- D:\Program Files\Common Files\AOL
2006-12-18 01:53 -------- d-------- D:\Documents and Settings\Paul2\Application Data\IGN_DLM
2006-12-16 22:34 -------- d-------- D:\Program Files\Ubisoft
2006-12-14 20:22 -------- d-------- D:\Documents and Settings\Paul2\Application Data\Apple Computer
2006-12-14 19:46 -------- d-------- D:\Program Files\Outlook Express
2006-12-14 19:46 -------- d-------- D:\Program Files\Common Files\System
2006-12-07 20:25 61584 --a------ D:\WINDOWS\system32\drivers\klick.sys
2006-12-06 17:21 -------- d-------- D:\Program Files\EVEMon
2006-12-05 16:11 -------- d-------- D:\Program Files\MSN
2006-12-01 02:49 -------- d-------- D:\Program Files\Windows Media Player
2006-11-26 17:27 -------- d-------- D:\Program Files\Sony
2006-11-26 17:27 -------- d-------- D:\Documents and Settings\Paul2\Application Data\Sony
2006-11-26 01:44 163644 --a------ D:\WINDOWS\system32\drivers\secdrv.sys
2006-11-19 12:56 -------- d-------- D:\Program Files\Winamp
2006-11-15 22:56 -------- d-------- D:\Program Files\Adobe
2006-11-15 22:55 -------- d-------- D:\Program Files\Common Files\Adobe
2006-11-15 22:54 -------- d-------- D:\Program Files\Common Files\Adobe Systems Shared
2006-11-14 16:33 -------- d-------- D:\Documents and Settings\Paul2\Application Data\EVEMon
2006-11-14 11:51 -------- d-------- D:\Program Files\EVE Launcher
2006-11-12 14:53 98304 --a------ D:\WINDOWS\system32\CmdLineExt.dll
2006-11-12 14:53 -------- dr-h----- D:\Documents and Settings\Paul2\Application Data\SecuROM
2006-11-11 22:15 -------- d-------- D:\Program Files\CCP
2006-11-11 00:54 -------- d-------- D:\Documents and Settings\Paul2\Application Data\Sun
2006-11-11 00:53 -------- d-------- D:\Program Files\Java
2006-11-11 00:53 -------- d-------- D:\Program Files\Common Files\Java
2006-11-10 23:05 -------- d-------- D:\Documents and Settings\Paul2\Application Data\acccore
2006-11-10 23:04 -------- d-------- D:\Program Files\Common Files\Nullsoft
2006-11-10 17:34 -------- d-------- D:\Program Files\IGN
2006-11-10 08:22 -------- d-------- D:\Program Files\WinRAR
2006-11-09 23:24 -------- d-------- D:\Documents and Settings\Paul2\Application Data\Publish Providers
2006-11-09 23:24 -------- d-------- D:\Documents and Settings\Paul2\Application Data\NetMedia Providers
2006-11-09 23:03 59536 --a------ D:\WINDOWS\system32\drivers\klin.sys
2006-11-09 19:08 -------- d-------- D:\Program Files\Kaspersky Lab
2006-11-09 19:08 -------- d-------- D:\Program Files\iolo
2006-11-09 18:35 -------- d-------- D:\Documents and Settings\Paul2\Application Data\Macromedia
2006-11-09 00:37 -------- d-------- D:\Documents and Settings\Paul2\Application Data\AdobeUM
2006-11-09 00:35 875 --a------ D:\Documents and Settings\Paul2\Application Data\AdobeDLM.log
2006-11-09 00:35 0 --a------ D:\Documents and Settings\Paul2\Application Data\dm.ini
2006-11-09 00:15 -------- d-------- D:\Program Files\Alcohol Soft
2006-11-09 00:10 639224 --a------ D:\WINDOWS\system32\drivers\sptd.sys
2006-11-08 23:30 -------- d-------- D:\Documents and Settings\Paul2\Application Data\CyberLink
2006-11-08 21:58 -------- d-------- D:\Program Files\Messenger
2006-11-08 21:40 -------- d-------- D:\Program Files\UltraMon
2006-11-08 21:40 -------- d-------- D:\Program Files\Common Files\Realtime Soft
2006-11-08 21:40 -------- d-------- D:\Documents and Settings\Paul2\Application Data\Realtime Soft
2006-11-08 21:35 -------- d-------- D:\Documents and Settings\Paul2\Application Data\teamspeak2
2006-11-08 21:32 -------- d-------- D:\Documents and Settings\Paul2\Application Data\Logitech
2006-11-08 21:30 -------- d-------- D:\Program Files\Logitech
2006-11-08 21:30 -------- d-------- D:\Program Files\Common Files\Logitech
2006-11-08 21:29 -------- d-------- D:\Program Files\Schmads Inc
2006-11-08 21:26 -------- d-------- D:\Program Files\Creative
2006-11-08 21:25 81920 --a------ D:\WINDOWS\system32\OpenAL32.dll
2006-11-08 21:25 233472 --a------ D:\WINDOWS\system32\wrap_oal.dll
2006-11-08 21:25 -------- d-------- D:\Program Files\Common Files\InstallShield
2006-11-08 21:22 -------- d-------- D:\Documents and Settings\Paul2\Application Data\Creative
2006-11-08 21:09 -------- d-------- D:\Program Files\Marvell
2006-11-08 19:57 -------- d--h----- D:\Program Files\Uninstall Information
2006-11-08 19:57 -------- d-------- D:\Program Files\Common Files\Microsoft Shared
2006-11-08 19:57 -------- d-------- D:\Documents and Settings\Paul2\Application Data\Identities
2006-11-08 19:54 -------- d-------- D:\Program Files\xerox
2006-11-08 19:54 -------- d-------- D:\Program Files\microsoft frontpage
2006-11-08 19:52 -------- d-------- D:\Program Files\NetMeeting
2006-11-08 19:52 -------- d-------- D:\Program Files\Movie Maker
2006-11-08 19:52 -------- d-------- D:\Program Files\Common Files\Services
2006-11-08 19:52 -------- d-------- D:\Program Files\Common Files\MSSoap
2006-11-08 19:51 -------- d-------- D:\Program Files\Windows NT
2006-11-08 19:51 -------- d-------- D:\Program Files\MSN Gaming Zone
2006-11-08 14:45 -------- d-------- D:\Program Files\Common Files\SpeechEngines
2006-11-08 14:45 -------- d-------- D:\Program Files\Common Files\ODBC
2006-11-08 14:44 62 --ahs---- D:\Documents and Settings\Paul2\Application Data\desktop.ini
2006-11-08 00:06 679424 --a------ D:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- D:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- D:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- D:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ D:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ D:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- D:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ D:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ D:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ D:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ D:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ D:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ D:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ D:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ D:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ D:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ D:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ D:\WINDOWS\system32\ieakui.dll
2006-10-22 15:06 208896 --a------ D:\WINDOWS\system32\NVUNINST.EXE
2006-10-22 12:22 888832 --a------ D:\WINDOWS\system32\nvmobls.dll
2006-10-22 12:22 86016 --a------ D:\WINDOWS\system32\nvmctray.dll
2006-10-22 12:22 81920 --a------ D:\WINDOWS\system32\nvwddi.dll
2006-10-22 12:22 794624 --a------ D:\WINDOWS\system32\nvcplui.exe
2006-10-22 12:22 7700480 --a------ D:\WINDOWS\system32\nvcpl.dll
2006-10-22 12:22 581632 --a------ D:\WINDOWS\system32\nvhwvid.dll
2006-10-22 12:22 5644288 --a------ D:\WINDOWS\system32\nvoglnt.dll
2006-10-22 12:22 5619712 --a------ D:\WINDOWS\system32\nvdisps.dll
2006-10-22 12:22 5255168 --a------ D:\WINDOWS\system32\nvdispsr.dll
2006-10-22 12:22 466944 --a------ D:\WINDOWS\system32\nvshell.dll
2006-10-22 12:22 458752 --a------ D:\WINDOWS\system32\nvmccssr.dll
2006-10-22 12:22 4527488 --a------ D:\WINDOWS\system32\nv4_disp.dll
2006-10-22 12:22 45056 --a------ D:\WINDOWS\system32\nvmccsrs.dll
2006-10-22 12:22 442368 --a------ D:\WINDOWS\system32\nvappbar.exe
2006-10-22 12:22 425984 --a------ D:\WINDOWS\system32\keystone.exe
2006-10-22 12:22 35840 --a------ D:\WINDOWS\system32\nvcodins.dll
2006-10-22 12:22 35840 --a------ D:\WINDOWS\system32\nvcod.dll
2006-10-22 12:22 3203072 --a------ D:\WINDOWS\system32\nvgamesr.dll
2006-10-22 12:22 311296 --a------ D:\WINDOWS\system32\nvexpbar.dll
2006-10-22 12:22 3047424 --a------ D:\WINDOWS\system32\nvgames.dll
2006-10-22 12:22 2973696 --a------ D:\WINDOWS\system32\nvvitvsr.dll
2006-10-22 12:22 2924544 --a------ D:\WINDOWS\system32\nvvitvs.dll
2006-10-22 12:22 286720 --a------ D:\WINDOWS\system32\nvnt4cpl.dll
2006-10-22 12:22 2859008 --a------ D:\WINDOWS\system32\nvmoblsr.dll
2006-10-22 12:22 229376 --a------ D:\WINDOWS\system32\nvmccs.dll
2006-10-22 12:22 212992 --a------ D:\WINDOWS\system32\nvapi.dll
2006-10-22 12:22 208896 --a------ D:\WINDOWS\system32\nvudisp.exe
2006-10-22 12:22 188416 --a------ D:\WINDOWS\system32\nvmccss.dll
2006-10-22 12:22 1732608 --a------ D:\WINDOWS\system32\nvwssr.dll
2006-10-22 12:22 1662976 --a------ D:\WINDOWS\system32\nvwdmcpl.dll
2006-10-22 12:22 1622016 --a------ D:\WINDOWS\system32\nwiz.exe
2006-10-22 12:22 159810 --a------ D:\WINDOWS\system32\nvsvc32.exe
2006-10-22 12:22 147456 --a------ D:\WINDOWS\system32\nvcolor.exe
2006-10-22 12:22 1470464 --a------ D:\WINDOWS\system32\nview.dll
2006-10-22 12:22 1339392 --a------ D:\WINDOWS\system32\nvdspsch.exe
2006-10-22 12:22 1236992 --a------ D:\WINDOWS\system32\nvwss.dll
2006-10-22 12:22 1019904 --a------ D:\WINDOWS\system32\nvwimg.dll
BackStabbingSinner
2006-12-25, 18:54
2006-10-22 12:22 1011712 --a------ D:\WINDOWS\system32\nvcpluir.dll
2006-10-19 08:56 713216 --a------ D:\WINDOWS\system32\sxs.dll
2006-10-18 21:58 8704 --a------ D:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58 8704 --a------ D:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47 99840 --a------ D:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47 991744 --a------ D:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47 937984 --a------ D:\WINDOWS\system32\WMNetMgr.dll
2006-10-18 21:47 8231936 --a------ D:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47 767488 --------- D:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 21:47 757248 --a------ D:\WINDOWS\system32\wmadmod.dll
2006-10-18 21:47 7168 --a------ D:\WINDOWS\system32\asferror.dll
2006-10-18 21:47 656896 --------- D:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 21:47 63488 --a------ D:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47 629760 --a------ D:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47 613376 --------- D:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 603648 --a------ D:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 21:47 542720 --a------ D:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47 535040 --------- D:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 429056 --a------ D:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47 414208 --a------ D:\WINDOWS\system32\msscp.dll
2006-10-18 21:47 4096 --a------ D:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47 4096 --a------ D:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47 4096 --a------ D:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 21:47 4096 --a------ D:\WINDOWS\system32\WMVADVD.dll
2006-10-18 21:47 4096 --a------ D:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47 4096 --a------ D:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47 4096 --a------ D:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47 4096 --a------ D:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 21:47 4096 --a------ D:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 21:47 4096 --a------ D:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 21:47 38400 --------- D:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 37376 --a------ D:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47 35840 --a------ D:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47 356352 --a------ D:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47 348672 --a------ D:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47 33792 --a------ D:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47 321536 --a------ D:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47 317440 --------- D:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 21:47 314880 --a------ D:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47 295936 --------- D:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160 --------- D:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 21:47 276992 --a------ D:\WINDOWS\system32\audiodev.dll
2006-10-18 21:47 27136 --a------ D:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47 2603008 --------- D:\WINDOWS\system32\WpdShext.dll
2006-10-18 21:47 259072 --------- D:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 21:47 259072 --------- D:\WINDOWS\system32\MP43DECD.dll
2006-10-18 21:47 2450944 --a------ D:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47 242688 --a------ D:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47 229376 --a------ D:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47 227328 --a------ D:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47 222208 --a------ D:\WINDOWS\system32\wmasf.dll
2006-10-18 21:47 212992 --------- D:\WINDOWS\system32\MFPLAT.dll
2006-10-18 21:47 211456 --a------ D:\WINDOWS\system32\qasf.dll
2006-10-18 21:47 204288 --a------ D:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47 199168 --------- D:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 21:47 179712 --a------ D:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47 175616 --a------ D:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47 166912 --------- D:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 21:47 1661440 --a------ D:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47 1574912 --------- D:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 21:47 157184 --a------ D:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47 154624 --a------ D:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47 1543680 --------- D:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 21:47 1382912 --------- D:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 21:47 133632 --------- D:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 21:47 1329152 --a------ D:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 21:47 132096 --------- D:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 21:47 130048 --------- D:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 11264 --a------ D:\WINDOWS\system32\LAPRXY.dll
2006-10-18 21:47 1117696 --a------ D:\WINDOWS\system32\WMADMOE.dll
2006-10-18 21:47 101888 --------- D:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 20:03 100864 --a------ D:\WINDOWS\system32\logagent.exe
2006-10-18 20:00 249856 --------- D:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408 --------- D:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 12:06 78336 --a------ D:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ D:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- D:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ D:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ D:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ D:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- D:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- D:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ D:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- D:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ D:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ D:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- D:\WINDOWS\system32\ieapfltr.dll
2006-10-13 07:35 142336 --a------ D:\WINDOWS\system32\nwprovau.dll
2006-10-02 15:28 312128 --------- D:\WINDOWS\system32\msdelta.dll
2006-09-28 20:13 95344 --------- D:\WINDOWS\system32\WUDFCoinstaller.dll
2006-09-28 18:56 55808 --------- D:\WINDOWS\system32\WudfSvc.dll
2006-09-28 18:56 316416 --------- D:\WINDOWS\system32\WUDFx.dll
2006-09-28 18:56 165376 --------- D:\WINDOWS\system32\WudfPlatform.dll
2006-09-28 18:56 146432 --------- D:\WINDOWS\system32\WudfHost.exe
2006-09-28 16:05 2414360 --a------ D:\WINDOWS\system32\d3dx9_31.dll
2006-09-28 16:05 237848 --a------ D:\WINDOWS\system32\xactengine2_4.dll
2006-09-28 16:04 68888 --a------ D:\WINDOWS\system32\xinput1_3.dll
2006-09-28 16:03 15128 --a------ D:\WINDOWS\system32\x3daudio1_1.dll
2006-09-27 22:38 193024 --a------ D:\WINDOWS\UltraMon.scr
2006-09-25 17:58 23856 --a------ D:\WINDOWS\system32\spupdsvc.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="D:\\WINDOWS\\system32\\ctfmon.exe"
"SMSystemAnalyzer"="\"D:\\Program Files\\iolo\\System Mechanic Professional 6\\SMSystemAnalyzer.exe\""
"Steam"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE D:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"CTSysVol"="D:\\Program Files\\Creative\\SBAudigy4\\Surround Mixer\\CTSysVol.exe /r"
"RCSystem"="\"D:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" RCSystem * -Startup"
"AudioDrvEmulator"="\"D:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"D:\\Program Files\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\""
"CTHelper"="CTHELPER.EXE"
"Launch LGDCore"="\"D:\\Program Files\\Logitech\\G-series Software\\LGDCore.exe\" /SHOWHIDE"
"Launch LCDMon"="\"D:\\Program Files\\Logitech\\G-series Software\\LCDMon.exe\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"UltraMon"="\"D:\\Program Files\\UltraMon\\UltraMon.exe\" /auto"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"KAVPersonal50"="\"D:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize"
"NeroFilterCheck"="D:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"iTunesHelper"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ioloDelayModule"="D:\\Program Files\\iolo\\System Mechanic Professional 6\\delay.exe"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpsa32
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
D:\WINDOWS\tasks\AppleSoftwareUpdate.job
Completion time: 06-12-25 11:51:59.60
D:\ComboFix.txt ... 06-12-25 11:51
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
tccpip.exe
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=-
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - D:\WINDOWS\tct101.dll (file missing)
O2 - BHO: (no name) - {00FB702C-8B28-4A57-A677-97E703EF34EE} - D:\Program Files\ComPlus Applications\meboli.dll (file missing)
O2 - BHO: (no name) - {328A085C-4A01-48CE-85C6-4D4D317534BE} - D:\WINDOWS\system32\ddabb.dll (file missing)
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - D:\WINDOWS\system32\aajhntoc.dll (file missing)
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - D:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - D:\PROGRA~1\COMMON~1\{346C5~1\Bar888.dll (file missing)
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
Please run Killbox.
Select "Delete on Reboot".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
D:\WINDOWS\system32\hethqdly.exe
D:\WINDOWS\system32\tccpip.exe
D:\WINDOWS\system32\vtutq.dll
D:\WINDOWS\system32\pmnlk.dll
D:\WINDOWS\system32\sstqr.dll
D:\WINDOWS\win32099-19654522.exe
D:\WINDOWS\system32\ydaspzjcw.exe
D:\WINDOWS\system32\jkkhghi.dll
D:\WINDOWS\sys01196545229-2006.exe
D:\WINDOWS\system32\sporder.dll
D:\WINDOWS\AtxPID29.exe
D:\WINDOWS\system32\bvd29c6c.sys
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Select "All Files".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
D:\Program Files\BHO Plugin
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
D:\WINDOWS\system32\E3TL.DLL
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
:bigthumb:
BackStabbingSinner
2006-12-25, 22:53
I did everything up to the point in which I have to do the Fix.reg.
I opened notepad, copied and paste. Made sure REGEDIT4 was inserted. Made sure there is ONE line of space at the bottom. Saved it as Fix.reg, with filetypes: ALL FILES.
I see it on my desktop, but when I double-click on it, Notepad opens up again with the registry value. If I right-click on it, I see the MERGE option, but when I click on that, Notepad opens up again.
????
BackStabbingSinner
2006-12-26, 02:37
Nevermind. I figured it out.
Okay... I did EVERYTHING, step-by-step, without missing a beat.
The following post/results will be several replies long. :)
-Here are the results of the VirusTotal Scan for "E3TL.DLL":
AntiVir 7.3.0.21 12.25.2006 no virus found
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.25.2006 no virus found
BitDefender 7.2 12.25.2006 no virus found
CAT-QuickHeal 8.00 12.25.2006 no virus found
ClamAV devel-20060426 12.25.2006 no virus found
DrWeb 4.33 12.25.2006 no virus found
eSafe 7.0.14.0 12.25.2006 no virus found
eTrust-InoculateIT 23.73.98 12.24.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 no virus found
Ewido 4.0 12.25.2006 no virus found
Fortinet 2.82.0.0 12.25.2006 no virus found
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 4.2.1.29 12.22.2006 no virus found
Ikarus T3.1.0.27 12.25.2006 no virus found
Kaspersky 4.0.2.24 12.26.2006 no virus found
McAfee 4925 12.22.2006 no virus found
Microsoft 1.1904 12.25.2006 no virus found
NOD32v2 1938 12.25.2006 no virus found
Norman 5.80.02 12.22.2006 no virus found
Panda 9.0.0.4 12.25.2006 no virus found
Prevx1 V2 12.26.2006 no virus found
Sophos 4.12.0 12.24.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.136 12.24.2006 no virus found
UNA 1.83 12.25.2006 no virus found
VBA32 3.11.1 12.25.2006 no virus found
VirusBuster 4.3.19:9 12.25.2006 no virus found
Aditional Information
File size: 26000 bytes
MD5: dc3860cce4dbb395f9f6bd022e7e5475
SHA1: 27a75f2423634cc7d0c9e94eff2605be0df2ac12
-Here's a fresh HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:35:10 PM, on 12/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\E_S00RP1.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\RunDLL32.exe
D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
D:\WINDOWS\CTHELPER.EXE
D:\Program Files\Logitech\G-series Software\LGDCore.exe
D:\Program Files\Logitech\G-series Software\LCDMon.exe
D:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
D:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\UltraMon\UltraMonTaskbar.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Paul2\Desktop\Scanner\Scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "D:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UltraMon] "D:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ioloDelayModule] D:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [\\PABLO-1393797A8\EPSON Stylus CX3800 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P44 "\\PABLO-1393797A8\EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "D:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - D:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - D:\WINDOWS\system32\tccpip.exe (file missing)
BackStabbingSinner
2006-12-26, 02:38
-Here is the AVG Anti-Spyware Scan Report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:26:24 PM 12/25/2006
+ Scan result:
HKU\S-1-5-21-1220945662-1383384898-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000001-C003-4A2F-9142-7CB1D78DE6C1} -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
D:\RECYCLER\S-1-5-18\Dd1\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
D:\RECYCLER\S-1-5-18\Dd1\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\SOUND FORGE\Sony Sound Forge v8.0 FULL with many plugins\Best Plugins\Sound Forge Noise Reduction 2 w serial no keygen\uer_sfnr20a.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Sony Sound Forge v8.0 FULL with many plugins\Best Plugins\Sound Forge Noise Reduction 2 w serial no keygen\uer_sfnr20a.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
::Report end
Ok good, looks better :)
Disable a bad service
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to TCP and UDP Supp0rt
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; TCP and UDP Supp0rt
Close HIjackThis
Reboot.
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
D:\!Killbox\tccpip.exe (try C:\!Killbox\tccpip.exe if the file is not found)
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
When you're ready, please post the following logs to here:
- Kaspersky's report
- a fresh HijackThis log
- virustotal results
BackStabbingSinner
2006-12-26, 23:48
Mr_JAk3..... you are A GOD. My computer is feeling so much better thanx to you. Holy sh*t, its unbelieveable. I thought I had to format!! :eek:
!!!!!!!!1111oneone
=====
Here is the Kaspersky Online Report:
-----------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 26, 2006 4:41:37 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/12/2006
Kaspersky Anti-Virus database records: 254407
-----------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 158083
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:10:37
Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\!KillBox\hethqdly.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Backup\BackupMng.i0000 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Backup\BackupMng.i0001 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Backup\BackupMng.i0100 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Backup\BackupMng.i0101 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Backup\BackupMng.i0200 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Backup\BackupMng.i0201 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Backup\BackupMng.i0300 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Backup\BackupMng.i0301 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Backup\BackupMng.reph Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Backup\BackupMng.repi Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Backup\BackupMng.rept Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Quarantine\QMng.i0000 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Quarantine\QMng.i0001 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Quarantine\QMng.i0100 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Quarantine\QMng.i0101 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Quarantine\QMng.i0200 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Quarantine\QMng.i0201 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Quarantine\QMng.i0300 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Quarantine\QMng.i0301 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Quarantine\QMng.reph Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Quarantine\QMng.repi Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Quarantine\QMng.rept Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Reports\RptMng.i0000 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Reports\RptMng.i0001 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Reports\RptMng.i0100 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Reports\RptMng.i0101 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Reports\RptMng.i0200 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Reports\RptMng.i0201 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Reports\RptMng.i0300 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Reports\RptMng.i0301 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Reports\RptMng.reph Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Reports\RptMng.repi Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Reports\RptMng.rept Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\TIF\GlobalTIFMng.i0000 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\TIF\GlobalTIFMng.i0100 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\TIF\GlobalTIFMng.i0200 Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\TIF\GlobalTIFMng.reph Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\TIF\GlobalTIFMng.repi Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\TIF\GlobalTIFMng.rept Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Paul2\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Paul2\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
D:\Documents and Settings\Paul2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Paul2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Paul2\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Paul2\Local Settings\History\History.IE5\MSHist012006122620061227\index.dat Object is locked skipped
D:\Documents and Settings\Paul2\Local Settings\Temp\Perflib_Perfdata_63c.dat Object is locked skipped
D:\Documents and Settings\Paul2\Local Settings\Temp\~DF404C.tmp Object is locked skipped
D:\Documents and Settings\Paul2\Local Settings\Temp\~DF4059.tmp Object is locked skipped
D:\Documents and Settings\Paul2\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Paul2\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Paul2\ntuser.dat.LOG Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
D:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
D:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Internet.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\{00000009-00000000-00000007-00001102-00000008-10211102}.CDF Object is locked skipped
Scan process completed.
===============================
Here is the VIRUSTOTAL.com report on "tccpip.exe":
Complete scanning result of "tccpip.exe", received in VirusTotal at 12.26.2006, 20:07:34 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 12.25.2006 HEUR/Crypted
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 Win32:Small-DIX
AVG 386 12.26.2006 no virus found
BitDefender 7.2 12.26.2006 Generic.Malware.Yd.1BD308F2
CAT-QuickHeal 8.00 12.26.2006 no virus found
ClamAV devel-20060426 12.26.2006 no virus found
DrWeb 4.33 12.26.2006 no virus found
eSafe 7.0.14.0 12.26.2006 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.98 12.24.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 no virus found
Ewido 4.0 12.26.2006 no virus found
Fortinet 2.82.0.0 12.26.2006 suspicious
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 4.2.1.29 12.22.2006 no virus found
Ikarus T3.1.0.27 12.26.2006 no virus found
Kaspersky 4.0.2.24 12.26.2006 no virus found
McAfee 4926 12.26.2006 Downloader-AYL
Microsoft 1.1904 12.26.2006 no virus found
NOD32v2 1939 12.26.2006 no virus found
Norman 5.80.02 12.26.2006 W32/Malware.DZC
Panda 9.0.0.4 12.26.2006 no virus found
Prevx1 V2 12.26.2006 no virus found
Sophos 4.13.0 12.26.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.136 12.24.2006 no virus found
UNA 1.83 12.26.2006 no virus found
VBA32 3.11.1 12.26.2006 no virus found
VirusBuster 4.3.19:9 12.26.2006 no virus found
Aditional Information
File size: 17920 bytes
MD5: 4cf1183550fbb4b906dffa6a2641eb4c
SHA1: 2fd19125a7f0f64be979d2c867ee0ddfa6ac5fe0
packers: UPX
packers: UPX
packers: UPX
packers: UPX
====================================
Here's a fresh HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 4:46:57 PM, on 12/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\E_S00RP1.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\RunDLL32.exe
D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
D:\WINDOWS\CTHELPER.EXE
D:\Program Files\Logitech\G-series Software\LGDCore.exe
D:\Program Files\Logitech\G-series Software\LCDMon.exe
D:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
D:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
D:\Program Files\UltraMon\UltraMonTaskbar.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Paul2\Desktop\Scanner\Scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
BackStabbingSinner
2006-12-26, 23:49
*cont*
O4 - HKLM\..\Run: [RCSystem] "D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "D:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UltraMon] "D:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ioloDelayModule] D:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [\\PABLO-1393797A8\EPSON Stylus CX3800 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P44 "\\PABLO-1393797A8\EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "D:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - D:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\Program Files\Zenturi\ProgramChecker\sassvc.exe
Hi :)
I would like you to upload a file for further inspection...
Please go here (http://www.uploadmalware.com/) to upload a suspicious file for analysis.
Enter your username from this forum
Copy and paste the link to this thread
Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open"
D:\!Killbox\tccpip.exe
In the comments, please mention that I asked you to upload this file
Click on Send File
Thanks :bigthumb:
========
It is beginning to look good :)
You don't seem to a firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
I can see parts of Kaspersky Antivirus and Norton Antivirus running on your computer. Have you uninstalled some of these ? Running two antiviruses is not recommended. If you have uninstalled some of these, we'll clean the leftovers. Please let me know :bigthumb:
BackStabbingSinner
2006-12-28, 00:54
Okay. I uploaded the file and mentioned your name, Mr_JAk3. :)
Also, yes, I had briefly downloaded a trial of Norton Antivirus on my computer for further inspection of my system when I was having this crisis. But I uninstalled it quickly after it causes system instability and insane use of cpu cycles. Some files remain here and there from Norton and Im still fishing them out.
The only Antivirus I have is Kaspersky, at the moment.
Im using Windows Firewall, but thanx for the heads up. I didnt know Windows Firewall wasnt too safe. I'll check out the options you gave me.
Once again, thanx alot!!!!!!11111oneoneone
Ok thank you for the upload :)
It is looking clean now :D:
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
You can delete the C:\!Killbox folder.
Then you should update your Java to the latest version (6.0) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 9
Download the latest version of Java Runtime Environment (JRE) 6.0 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)