smitfraud-c Toolbar 888

**exodus264** · 2007-05-07, 09:02

Hi,

I too am having trouble with smitfraud.
I tried to run the eTrust Antivirus Web Scanner on that computer but it resulted in a blue screen (of death).
I should note that that I previously tried some removal tools and tutorials, if that information is helpful.
Looking through other similar problems on this forum I have already run VundoFix.

Below are my HJT and VundoFix logs.

If there is any information I left out or it is not formatted correctly please tell me so I can fix it as soon as possible.

Thanks.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 2:48:20 AM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\micro1\b9.exe
C:\WINDOWS\system32\owintodv.exe
C:\WINDOWS\system32\dllhost.exe
C:\DOCUME~1\CATHYW~1\APPLIC~1\SSEMBL~1\winlogon.exe
C:\Documents and Settings\Cathy Wolf\My Documents\?ymantec\tracert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\kill button\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11B1AD47-6EA5-1E03-F63A-68E34FE3FB9F} - C:\WINDOWS\system32\ply.dll
O2 - BHO: (no name) - {2E9AC12A-5A75-4F73-899D-46989096C12c} - C:\WINDOWS\system32\kabnxaan.dll
O2 - BHO: (no name) - {4794E1F0-33F7-463D-B8E4-55F0D47F84D4} - C:\Program Files\Windows NT\vigyqeb.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb103\Dealio.dll
O2 - BHO: (no name) - {6FA6A171-A683-442D-AE71-2B4B9C4EFE70} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O2 - BHO: 0 - {7497BE1C-CB9B-4677-16B0-CE5B30384AF5} - C:\Program Files\Online Services\zyrikucat773.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {A9CDE63E-E103-4B9F-B219-DC8DEC1E8FA6} - C:\Program Files\Windows NT\vigyqeb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - C:\WINDOWS\system32\iiffgdb.dll
O2 - BHO: (no name) - {f86cbf13-8a30-4b42-821f-5de9b14f0ea8} - C:\WINDOWS\system32\DELhcp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb103\Dealio.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\micro1\b9.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owintodv.exe SKY003
O4 - HKLM\..\Run: [qwertybot.exe] C:\WINDOWS\system32\qwertybot.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [{1C-C8-82-2F-ZN}] C:\windows\system32\nsdsregr.exe SKY003
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\rqsfgrdw.dll",realset
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\temp\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\CATHYW~1\APPLIC~1\SSEMBL~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [Bajaq] "C:\Documents and Settings\Cathy Wolf\My Documents\?ymantec\tracert.exe"
O4 - Startup: Shortcut to pccguide.lnk = C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owintodv.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb103\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb103\Dealio.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O20 - Winlogon Notify: DELhcp - C:\WINDOWS\SYSTEM32\DELhcp.dll
O20 - Winlogon Notify: iiffgdb - C:\WINDOWS\SYSTEM32\iiffgdb.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

VundoFix:

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:54:28 PM 5/6/2007

Listing files found while scanning....

C:\WINDOWS\system32\c_8res.dll
C:\WINDOWS\system32\tmp1D2.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\c_8res.dll
C:\WINDOWS\system32\c_8res.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\tmp1D2.tmp.dll
C:\WINDOWS\system32\tmp1D2.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\c_8res.dll
C:\WINDOWS\system32\c_8res.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:19:02 PM 5/6/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp80.tmp.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 10:17:44 PM 5/6/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 2:04:30 AM 5/7/2007

Listing files found while scanning....

C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\igonjmae.dll
C:\WINDOWS\system32\pmkhf.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\igonjmae.dll
C:\WINDOWS\system32\igonjmae.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmkhf.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmkhf.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 2:35:32 AM 5/7/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

**Shaba** · 2007-05-07, 17:24

Hi exodus264

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

Please download LSPFix from here.
Run the LSPFix.exe that you have just finished downloading.
Check the I know what I'm doing box.
In the Keep box you should see one or more instances of winhealer.dll.
Select every instance of winhealer.dll and move each one to the Remove box by clicking the >> button.
Repeat for rlls.dll.
When you are done click Finish>>.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes

C:\WINDOWS\SYSTEM32\DELhcp.dll
C:\WINDOWS\SYSTEM32\iiffgdb.dll
Click Add Files and Click Close Window
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.[/list]

Look in your control panels add/remove programs for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
and any other programs you didn't install or don't recognize - if your not sure please ask first

Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

Post:

- a fresh HijackThis log
- vundofix report

**exodus264** · 2007-05-07, 22:46

Hi.

Here are the reports.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 4:42:27 PM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\micro1\b9.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\kill button\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9AC12A-5A75-4F73-899D-46989096C12c} - C:\WINDOWS\system32\kabnxaan.dll
O2 - BHO: (no name) - {4794E1F0-33F7-463D-B8E4-55F0D47F84D4} - C:\Program Files\Windows NT\vigyqeb.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {6FA6A171-A683-442D-AE71-2B4B9C4EFE70} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O2 - BHO: 0 - {7497BE1C-CB9B-4677-16B0-CE5B30384AF5} - C:\Program Files\Online Services\zyrikucat773.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {A9CDE63E-E103-4B9F-B219-DC8DEC1E8FA6} - C:\Program Files\Windows NT\vigyqeb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C6FEE081-003A-47CC-9BB9-EA55C029F248} - C:\Program Files\Windows NT\vigyqeb.dll
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - C:\WINDOWS\system32\iiffgdb.dll (file missing)
O2 - BHO: (no name) - {f86cbf13-8a30-4b42-821f-5de9b14f0ea8} - C:\WINDOWS\system32\DELhcp.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\micro1\b9.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owintodv.exe SKY003
O4 - HKLM\..\Run: [qwertybot.exe] C:\WINDOWS\system32\qwertybot.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\rqsfgrdw.dll",realset
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\temp\HijackThis.exe /startupscan
O4 - Startup: Shortcut to pccguide.lnk = C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owintodv.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

VundoFix:

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:54:28 PM 5/6/2007

Listing files found while scanning....

C:\WINDOWS\system32\c_8res.dll
C:\WINDOWS\system32\tmp1D2.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\c_8res.dll
C:\WINDOWS\system32\c_8res.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\tmp1D2.tmp.dll
C:\WINDOWS\system32\tmp1D2.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\c_8res.dll
C:\WINDOWS\system32\c_8res.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:19:02 PM 5/6/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp80.tmp.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 10:17:44 PM 5/6/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 2:04:30 AM 5/7/2007

Listing files found while scanning....

C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\igonjmae.dll
C:\WINDOWS\system32\pmkhf.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\igonjmae.dll
C:\WINDOWS\system32\igonjmae.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmkhf.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmkhf.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 2:35:32 AM 5/7/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 4:06:13 PM 5/7/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\DELhcp.dll
C:\WINDOWS\SYSTEM32\DELhcp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\iiffgdb.dll
C:\WINDOWS\SYSTEM32\iiffgdb.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 4:34:46 PM 5/7/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

**Shaba** · 2007-05-08, 08:01

Hi

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

1. Please download AVG Anti-Spyware

Install AVG Anti-Spyware
Launch the program, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.

You will need to update AVG Anti-Spyware to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit AVG Anti-Spyware, do not run the scan yet!

2. Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open AVG Anti-Spyware:

Click on scanner
Click on Complete System Scan and the scan will begin.
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of AVG Anti-Spyware text report that you saved and a new HiJackThis log.Download and unzip BFU.zip from here.
Run the program and click the Web button as shown by the blue arrow below:

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

Reboot

Post:

- a fresh HijackThis log
- AVG anti-spyware report

**exodus264** · 2007-05-09, 01:03

Hi.

I wasn't able to complete the final step, running BFU with the URL. It gave me the following error:

"BFU was unable to download the file located at:
http://metallica.geekstogo.com/alcanshorty.bfu
Please verify the address is correct and the file is available from the webserver."

It was connected to the internet so I'm not sure what caused this.

Here are the reports:

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 6:55:11 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\kill button\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9AC12A-5A75-4F73-899D-46989096C12c} - C:\WINDOWS\system32\kabnxaan.dll (file missing)
O2 - BHO: (no name) - {4794E1F0-33F7-463D-B8E4-55F0D47F84D4} - C:\Program Files\Windows NT\vigyqeb.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {6FA6A171-A683-442D-AE71-2B4B9C4EFE70} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O2 - BHO: 0 - {7497BE1C-CB9B-4677-16B0-CE5B30384AF5} - C:\Program Files\Online Services\zyrikucat773.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {A9CDE63E-E103-4B9F-B219-DC8DEC1E8FA6} - C:\Program Files\Windows NT\vigyqeb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C6FEE081-003A-47CC-9BB9-EA55C029F248} - C:\Program Files\Windows NT\vigyqeb.dll (file missing)
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - C:\WINDOWS\system32\iiffgdb.dll (file missing)
O2 - BHO: (no name) - {f86cbf13-8a30-4b42-821f-5de9b14f0ea8} - C:\WINDOWS\system32\DELhcp.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\rqsfgrdw.dll",realset
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\temp\HijackThis.exe /startupscan
O4 - Startup: Shortcut to pccguide.lnk = C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

**exodus264** · 2007-05-09, 01:05

AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:36:25 PM 5/8/2007

+ Scan result:

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP228\A0009846.exe -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014473.exe -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP239\A0016696.dll -> Adware.BHO : Cleaned.
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned.
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Cleaned.
C:\WINDOWS\stub_mma3.exe -> Adware.BookedSpace : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008542.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008543.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008544.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008545.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0006540.dll -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008548.dll -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008549.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008550.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008628.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008636.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014466.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014467.exe -> Adware.NewDotNet : Cleaned.
C:\WINDOWS\system32\micro1\a1.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP239\A0016666.dll -> Adware.PurityScan : Cleaned.
C:\kill button\OiUninstaller.exe -> Adware.PurityScan : Cleaned.
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP235\A0014447.exe -> Adware.Relevant : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014464.exe -> Adware.Relevant : Cleaned.
C:\WINDOWS\itpb_3.exe -> Adware.Relevant : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP228\A0009869.dll -> Adware.RK : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP239\A0016675.exe -> Adware.RK : Cleaned.
C:\Program Files\DeskAlerts\deskbar.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008626.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008638.exe -> Adware.Softomate : Cleaned.
C:\WINDOWS\funnies.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008540.exe -> Adware.SpySheriff : Cleaned.
C:\WINDOWS\system32\micro1\a4.exe -> Adware.SurfSide : Cleaned.
C:\RECYCLER\S-1-5-21-2548815652-3467953742-2837440639-1005\Dc7.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP224\A0006518.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP224\snapshot\MFEX-1.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP224\snapshot\MFEX-3.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP224\snapshot\MFEX-4.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP224\snapshot\MFEX-5.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP225\snapshot\MFEX-1.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP225\snapshot\MFEX-3.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP225\snapshot\MFEX-4.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP225\snapshot\MFEX-5.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP225\snapshot\MFEX-6.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0006525.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0006539.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0007537.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008537.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008659.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008666.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008684.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0009689.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\snapshot\MFEX-1.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\snapshot\MFEX-3.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\snapshot\MFEX-4.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\snapshot\MFEX-5.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\snapshot\MFEX-6.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP227\snapshot\MFEX-1.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP228\A0009724.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP228\A0009855.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP228\snapshot\MFEX-1.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP229\A0009897.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP229\A0010934.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP230\A0010953.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP230\A0010969.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0012028.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0012043.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0013043.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0013056.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP233\snapshot\MFEX-1.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP234\A0013358.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP234\A0013429.exe -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP234\A0013431.exe -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP234\A0013450.exe -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP234\snapshot\MFEX-1.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP235\A0014437.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP235\A0014448.exe -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP235\snapshot\MFEX-1.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014460.exe -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014461.exe -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014462.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014463.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0015507.exe -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0015510.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0015514.exe -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0015515.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0015532.dll -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\snapshot\MFEX-1.DAT -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP239\A0016681.exe -> Adware.TTC : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP239\A0016693.dll -> Adware.TTC : Cleaned.
C:\temp\backups\backup-20070506-142939-325.dll -> Adware.TTC : Cleaned.
C:\Documents and Settings\Cathy Wolf\Local Settings\Temp\is66953.exe -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0015536.dll -> Adware.Virtumonde : Cleaned.
C:\VundoFix Backups\iiffgdb.dll.bad -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0006537.exe -> Adware.WebBuying : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP228\A0009845.exe -> Adware.WebBuying : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP234\A0013437.exe -> Adware.WebBuying : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014470.exe -> Adware.WebBuying : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008607.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008682.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP228\A0009717.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP229\A0010928.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP230\A0010966.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0011002.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0013053.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014475.exe -> Adware.ZenoSearch : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014476.exe -> Adware.ZenoSearch : Cleaned.
C:\WINDOWS\system32\micro1\eno36.exe -> Adware.ZenoSearch : Cleaned.
C:\WINDOWS\system32\owintodv.exe -> Adware.ZenoSearch : Cleaned.
C:\Program Files\Online Services\zyrikucat.dll -> Adware.ZQuest : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008639.exe -> Adware.ZQuest : Cleaned.
C:\WINDOWS\system32\micro1\a3.exe -> Adware.ZQuest : Cleaned.
C:\WINDOWS\system32\smpi1\lib67.exe -> Adware.ZQuest : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0007546.dll -> Backdoor.Agent.alp : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP230\A0010958.dll -> Backdoor.Agent.alp : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP230\A0010977.dll -> Backdoor.Agent.alp : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0011011.dll -> Backdoor.Agent.alp : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0012022.dll -> Backdoor.Agent.alp : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0012035.dll -> Backdoor.Agent.alp : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0012047.dll -> Backdoor.Agent.alp : Cleaned.
C:\System Volume

**exodus264** · 2007-05-09, 01:05

Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0013048.dll -> Backdoor.Agent.alp : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0013065.dll -> Backdoor.Agent.alp : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP234\A0013420.dll -> Backdoor.Agent.alp : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP234\A0013442.dll -> Backdoor.Agent.alp : Cleaned.
C:\WINDOWS\system32\WinHealer.dll -> Backdoor.Agent.alp : Cleaned.
C:\WINDOWS\system32\comdlg77.dll -> Backdoor.Agent.alp : Cleaned.
C:\WINDOWS\system32\qwertybot.exe -> Backdoor.Agent.alp : Cleaned.
C:\WINDOWS\system32\max1d164v.exe -> Dialer.GBDialer.i : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008630.exe -> Downloader.Agent.ac : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008643.exe -> Downloader.Agent.ac : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP206\A0006282.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP206\A0006303.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006378.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006379.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006381.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006382.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006383.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006384.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006385.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006386.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006387.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006388.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006389.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006390.EXE -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP216\A0006391.exe -> Downloader.Agent.awf : Cleaned.
C:\WINDOWS\ehome\ehtray.exe1175808859 -> Downloader.Agent.awf : Cleaned.
C:\WINDOWS\system32\bak\lsasss.exe -> Downloader.Agent.awf : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008629.exe -> Downloader.Agent.bjn : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008642.exe -> Downloader.Agent.bjn : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP228\A0009870.exe -> Downloader.Agent.bjn : Cleaned.
C:\WINDOWS\eoo.exe -> Downloader.Agent.bjn : Cleaned.
C:\Documents and Settings\Cathy Wolf\Local Settings\Temp\wr-1-2000219.exe -> Downloader.Agent.bls : Cleaned.
C:\WINDOWS\retadpu1000106.exe -> Downloader.Agent.bls : Cleaned.
C:\WINDOWS\retadpu2000219.exe -> Downloader.Agent.bls : Cleaned.
C:\WINDOWS\system32\smpi1\lib06.exe -> Downloader.Agent.bls : Cleaned.
C:\WINDOWS\system32\vexga5me3.exe -> Downloader.Agent.bls : Cleaned.
C:\WINDOWS\updater.exe -> Downloader.Agent.bls : Cleaned.
C:\WINDOWS\system32\~.exe -> Downloader.Agent.bnn : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0012016.dll -> Downloader.ConHook : Cleaned.
C:\VundoFix Backups\c_8res.dll.bad -> Downloader.ConHook : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0015535.dll -> Downloader.ConHook.bf : Cleaned.
C:\VundoFix Backups\DELhcp.dll.bad -> Downloader.ConHook.bf : Cleaned.
C:\Documents and Settings\Cathy Wolf\Local Settings\Temp\sdexe.exe -> Downloader.PurityScan.af : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP239\A0016665.exe -> Downloader.PurityScan.af : Cleaned.
C:\Documents and Settings\Cathy Wolf\Local Settings\Temp\YazzleBundle-1281.exe -> Downloader.PurityScan.eg : Cleaned.
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe -> Downloader.PurityScan.eg : Cleaned.
C:\WINDOWS\system32\vexga3me2.exe -> Downloader.Small.eip : Cleaned.
C:\Documents and Settings\Cathy Wolf\Local Settings\Temp\xpre.exe -> Downloader.VB.axa : Cleaned.
C:\WINDOWS\uni_eh10.exe -> Downloader.VB.tw : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0014468.sys -> Dropper.Agent.bbv : Cleaned.
C:\WINDOWS\system32\qvxga6met3.exe -> Dropper.Small.avu : Cleaned.
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -> Hijacker.Agent.jh : Cleaned.
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -> Hijacker.Agent.jh : Cleaned.
C:\Program Files\Dell Support\DSAgnt.exe -> Hijacker.Agent.jh : Cleaned.
C:\Program Files\Dell\Media Experience\DMXLauncher.exe -> Hijacker.Agent.jh : Cleaned.
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe -> Hijacker.Agent.jh : Cleaned.
C:\Program Files\Messenger\msmsgs.exe -> Hijacker.Agent.jh : Cleaned.
C:\Program Files\QuickTime\qttask.exe -> Hijacker.Agent.jh : Cleaned.
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe -> Hijacker.Agent.jh : Cleaned.
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe -> Hijacker.Agent.jh : Cleaned.
C:\Program Files\Windows Defender\MSASCui.exe -> Hijacker.Agent.jh : Cleaned.
C:\Program Files\iTunes\iTunesHelper.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006489.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006490.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006492.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006493.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006494.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006495.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006496.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006497.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006498.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006499.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006500.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006501.EXE -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006502.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP222\A0006503.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP238\A0016614.rbf -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP239\A0016691.exe -> Hijacker.Agent.jh : Cleaned.
C:\WINDOWS\ehome\ehtray.exe1176151984 -> Hijacker.Agent.jh : Cleaned.
C:\WINDOWS\system32\DLA\DLACTRLW.EXE -> Hijacker.Agent.jh : Cleaned.
C:\WINDOWS\system32\lsasss.exe -> Hijacker.Agent.jh : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008645.exe -> Hijacker.Agent.jp : Cleaned.
C:\Program Files\Online Services\zyrikucat11.dll -> Hijacker.StartPage : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP239\A0016694.dll -> Hijacker.StartPage : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP237\A0016549.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned.
C:\Documents and Settings\Cathy Wolf\Local Settings\Temp\Install-Errorprotector-Free.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0013068.sys -> Not-A-Virus.SpamTool.Win32.Agent.af : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP234\A0013433.exe -> Proxy.Small.osw : Cleaned.
C:\WINDOWS\system32\vexga4me1.exe -> Proxy.Xorpix.ar : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP236\A0015517.sys -> Rootkit.Agent.eq : Cleaned.
:mozilla.6:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Cathy Wolf\Cookies\cathy wolf@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Cathy Wolf\Cookies\cathy wolf@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Cathy Wolf\Cookies\cathy wolf@arn.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Cathy Wolf\Cookies\cathy wolf@getmusicfree.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Cathy Wolf\Cookies\cathy wolf@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Cathy Wolf\Cookies\cathy wolf@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.17:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.22:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Cathy Wolf\Cookies\cathy wolf@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Cathy Wolf\Cookies\cathy wolf@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Cathy Wolf\Cookies\cathy wolf@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Cathy Wolf\Cookies\cathy wolf@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.54:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.55:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.56:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.57:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.58:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.59:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.23:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.68:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.69:C:\Documents and Settings\Cathy Wolf\Application Data\Mozilla\Firefox\Profiles\r2f2nuqe.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Cathy Wolf\Cookies\cathy wolf@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008632.exe -> Trojan.Agent : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008647.exe -> Trojan.Agent : Cleaned.
C:\WINDOWS\sammy.exe -> Trojan.Agent : Cleaned.
C:\WINDOWS\system32\micro1\win5.exe -> Trojan.Agent : Cleaned.
C:\WINDOWS\system32\smpi1\lb5.exe -> Trojan.Agent : Cleaned.
C:\WINDOWS\ljkjkj.dll -> Trojan.Agent.agv : Cleaned.
C:\system.exe -> Trojan.Agent.rw : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP239\A0016692.exe -> Trojan.Bantool : Cleaned.
C:\Program Files\Online Services\zyrikucat584.dll -> Trojan.BHO.ab : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP232\A0012008.dll -> Trojan.BHO.g : Cleaned.
C:\VundoFix Backups\tmp1D2.tmp.dll.bad -> Trojan.BHO.g : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP228\A0009711.dll -> Trojan.BHO.o : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP239\A0016667.exe -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\windev-651d-2cfe.sys -> Trojan.Tibs.w : Cleaned.
C:\RECYCLER\S-1-5-21-2548815652-3467953742-2837440639-1005\Dc9.exe -> Trojan.VB.tg : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0006538.exe -> Trojan.VB.tg : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008631.exe -> Trojan.VB.tg : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008637.exe -> Trojan.VB.tg : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP230\A0010984.exe -> Trojan.VB.tg : Cleaned.
C:\WINDOWS\111uninst.exe -> Trojan.VB.tg : Cleaned.
C:\WINDOWS\system32\micro1\mac7.exe -> Trojan.VB.tg : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008553.exe -> Worm.Nuwar : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008554.exe -> Worm.Nuwar : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008555.exe -> Worm.Nuwar : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008556.exe -> Worm.Nuwar : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008620.exe -> Worm.Nuwar : Cleaned.
C:\WINDOWS\system32\vexga1me4t1.exe -> Worm.Zhelatin.by : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008557.exe -> Worm.Zhelatin.cs : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP226\A0008641.exe -> Worm.Zhelatin.cs : Cleaned.
C:\WINDOWS\system32\inst.exe.exe -> Worm.Zhelatin.cs : Cleaned.
C:\WINDOWS\system32\pdp.exe.exe -> Worm.Zhelatin.cs : Cleaned.
C:\WINDOWS\system32\vexg4am1et2.exe -> Worm.Zhelatin.cs : Cleaned.
C:\WINDOWS\system32\zup.exe.exe -> Worm.Zhelatin.cs : Cleaned.

::Report end

**Shaba** · 2007-05-09, 10:16

Hi

It looks like you have infection which replaces legit files with malware. It has replaced eg. your antivirus

So please keep surfing minimum before we get you clean again.

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {2E9AC12A-5A75-4F73-899D-46989096C12c} - C:\WINDOWS\system32\kabnxaan.dll (file missing)
O2 - BHO: (no name) - {4794E1F0-33F7-463D-B8E4-55F0D47F84D4} - C:\Program Files\Windows NT\vigyqeb.dll (file missing)
O2 - BHO: (no name) - {6FA6A171-A683-442D-AE71-2B4B9C4EFE70} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O2 - BHO: 0 - {7497BE1C-CB9B-4677-16B0-CE5B30384AF5} - C:\Program Files\Online Services\zyrikucat773.dll (file missing)
O2 - BHO: (no name) - {A9CDE63E-E103-4B9F-B219-DC8DEC1E8FA6} - C:\Program Files\Windows NT\vigyqeb.dll (file missing)
O2 - BHO: (no name) - {C6FEE081-003A-47CC-9BB9-EA55C029F248} - C:\Program Files\Windows NT\vigyqeb.dll (file missing)
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - C:\WINDOWS\system32\iiffgdb.dll (file missing)
O2 - BHO: (no name) - {f86cbf13-8a30-4b42-821f-5de9b14f0ea8} - C:\WINDOWS\system32\DELhcp.dll (file missing)
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\rqsfgrdw.dll",realset
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)

Close all windows including browser and press fix checked.

Reboot

Delete if present:

C:\WINDOWS\system32\rqsfgrdw.dll

Empty Recycle Bin.

Please download the following program and save it to your desktop:

http://noahdfear.geekstogo.com/FindAWF.exe

Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.

Post:

- a fresh hijackthis log
- findawf report

**exodus264** · 2007-05-09, 18:46

Hi.

Sure I'll keep the infected computer disconnected from the internet until this is resolved.

Logs:

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:33:16 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\kill button\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\temp\HijackThis.exe /startupscan
O4 - Startup: Shortcut to pccguide.lnk = C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

AWF:

Find AWF report by noahdfear ©2006

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\DELLSU~1\BAK

05/15/2005 03:04 AM 332,800 DSAgnt.exe
1 File(s) 332,800 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 12:24 PM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 06:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\EHOME\BAK

09/29/2005 03:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 06:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

10/05/2005 04:12 AM 94,208 DMXLauncher.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~3\BAK

09/08/2005 08:20 PM 110,592 mm_tray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

08/30/2005 05:36 PM 823,362 pccguide.exe
1 File(s) 823,362 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

09/08/2005 06:20 AM 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

06/10/2005 11:44 AM 81,920 issch.exe
06/10/2005 11:44 AM 249,856 isuspm.exe
2 File(s) 331,776 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 06:48 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\TMAS_OE\BAK

04/11/2006 07:39 PM 176,201 TMAS_OEMon.exe
1 File(s) 176,201 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

332800 May 15 2005 "C:\Program Files\Dell Support\bak\DSAgnt.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 28 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
59392 Aug 10 2004 "C:\WINDOWS\$NtUninstallKB900325$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
94208 Oct 5 2005 "C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe"
110592 Sep 8 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
110592 Sep 8 2005 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
823362 Aug 30 2005 "C:\Program Files\Trend Micro\Internet Security 12\bak\pccguide.exe"
122940 Sep 8 2005 "C:\Program Files\Roxio\DLA\install\dlactrlw.exe"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
81920 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
249856 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
356425 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEImp.exe"
86089 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OL\TMAS_OLImp.exe"
176201 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\bak\TMAS_OEMon.exe"
356425 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\Temp\aupcc\product\TMAS_OE\TMAS_OEImp.exe"
86089 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\Temp\aupcc\product\TMAS_OL\TMAS_OLImp.exe"
356425 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\Temp\aubin\AU_Temp\1164_1840\1\113\TMAS_OE\TMAS_OEImp.exe"
86089 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\Temp\aubin\AU_Temp\1164_1840\1\113\TMAS_OL\TMAS_OLImp.exe"

end of report

**Shaba** · 2007-05-09, 19:02

Hi

Copy text below to Notepad and save it as remawf.bat (save it as all files, *.*)

@ECHO OFF
move /Y "C:\Program Files\Dell Support\bak\DSAgnt.exe" "C:\Program Files\Dell Support"
move /Y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes"
move /Y "C:\Program Files\Messenger\bak\msmsgs.exe" "C:\Program Files\Messenger"
move /Y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
move /Y "C:\Program Files\Windows Defender\bak\MSASCui.exe" " "C:\Program Files\Windows Defender"
move /Y "C:\WINDOWS\ehome\bak\ehtray.exe" "C:\WINDOWS\ehome"
move /Y "C:\WINDOWS\system32\bak\ctfmon.exe" "C:\WINDOWS\system32"
move /Y "C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe" "C:\Program Files\Dell\Media Experience"
move /Y "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe" "C:\Program Files\MUSICMATCH\Musicmatch Jukebox"
move /Y "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE" "C:\WINDOWS\system32\DLA"
move /Y "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe" "C:\Program Files\Common Files\InstallShield\UpdateService"
move /Y "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe" "C:\Program Files\Common Files\InstallShield\UpdateService"
move /Y "C:\Program Files\Trend Micro\Internet Security 12\bak\pccguide.exe" "C:\Program Files\Trend Micro\Internet Security 12"
move /Y "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\bak\TMAS_OEImp.exe" "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE"
move /Y "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OL\TMAS_OLImp.exe" "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OL"
move /Y "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\bak\TMAS_OEMon.exe" "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE"

It should look like this ->

(In case you are unsure how to create a bat file, take a look here with screenshots.)

Boot in safe mode

Doubleclick remawf.bat; black dos windows will flash, that's normal.

Reboot

Re-run findawf

Post:

- a fresh hijackthis log
- findawf report

Thread: smitfraud-c Toolbar 888

Thread Tools

Display

smitfraud-c Toolbar 888

Posting Permissions