Another Smitfraud-C 888 Toolbar Problem

O

OneStiffGT

New member
Hi, I just registered to the forums hoping you can help me out removing Smitfraud-C 888 Toolbar that gets detected on Spybot S&D, I remove it, but it keeps coming back...

I've tried to read other threads posted by other and follow similar steps but I wasn't successful, so I am asking for your help.

Here is my HJT Log.

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 4:51:51 PM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\NeroCheck.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\CTHELPER.EXE
F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\WINDOWS\system32\devldr32.exe
f:\program files\internet explorer\iexplore.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\HJT\HijackThis.exe

O2 - BHO: 0 - {04A81C69-443C-4299-4CB8-90BA781A44B2} - F:\Program Files\Messenger\quzase.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10127F09-CEF5-4E19-A84C-3A38C9D15447} - F:\WINDOWS\system32\qgdjiosl.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - F:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {48B1A249-13FF-6B2E-F249-6BE337E7AD9A} - F:\WINDOWS\system32\yng.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - F:\WINDOWS\system32\dnsersnd.dll (file missing)
O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - F:\WINDOWS\system32\ssqrrpq.dll
O2 - BHO: (no name) - {D9D735D6-1DEB-4C4B-9032-17ADFC96B920} - F:\WINDOWS\system32\ddayy.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKCU\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ssqrrpq - F:\WINDOWS\SYSTEM32\ssqrrpq.dll
O20 - Winlogon Notify: winmyy32 - F:\WINDOWS\SYSTEM32\winmyy32.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Here is also the adwatch log, it detects a registery modification every second, and it is the repeat of the same thing...

5/6/2007 5:04:37 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value:AppInit_DLLs
Data:
New Data:F:\WINDOWS\system32\perfc000.dat
 
Last edited by a moderator:
Hi OneStiffGT

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
 
I ran vundo before posting the HJT logs... it had found 4 and I removed them

I ran vundo again and it doesn't find anything anymore
 
Hi

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes

    F:\WINDOWS\SYSTEM32\ssqrrpq.dll
    F:\WINDOWS\system32\qprrqss.*
  • Click Add Files and Click Close Window
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.[/list]
 
VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:19:36 AM 5/8/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete F:\WINDOWS\SYSTEM32\ssqrrpq.dll
F:\WINDOWS\SYSTEM32\ssqrrpq.dll Could not be deleted.

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 11:29:25 AM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\CTHELPER.EXE
F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\wuauclt.exe
F:\HJT\HijackThis.exe

O2 - BHO: 0 - {04A81C69-443C-4299-4CB8-90BA781A44B2} - F:\Program Files\Messenger\quzase.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10127F09-CEF5-4E19-A84C-3A38C9D15447} - F:\WINDOWS\system32\qgdjiosl.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - F:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {48B1A249-13FF-6B2E-F249-6BE337E7AD9A} - F:\WINDOWS\system32\yng.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - F:\WINDOWS\system32\dnsersnd.dll (file missing)
O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - F:\WINDOWS\system32\ssqrrpq.dll
O2 - BHO: (no name) - {D9D735D6-1DEB-4C4B-9032-17ADFC96B920} - F:\WINDOWS\system32\ddayy.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKCU\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winmyy32 - F:\WINDOWS\SYSTEM32\winmyy32.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
 
Hi

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: 0 - {04A81C69-443C-4299-4CB8-90BA781A44B2} - F:\Program Files\Messenger\quzase.dll
O2 - BHO: (no name) - {10127F09-CEF5-4E19-A84C-3A38C9D15447} - F:\WINDOWS\system32\qgdjiosl.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - F:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {48B1A249-13FF-6B2E-F249-6BE337E7AD9A} - F:\WINDOWS\system32\yng.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - F:\WINDOWS\system32\dnsersnd.dll (file missing)
O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - F:\WINDOWS\system32\ssqrrpq.dll
O2 - BHO: (no name) - {D9D735D6-1DEB-4C4B-9032-17ADFC96B920} - F:\WINDOWS\system32\ddayy.dll (file missing)
O20 - Winlogon Notify: winmyy32 - F:\WINDOWS\SYSTEM32\winmyy32.dll

Close all windows including browser and press fix checked.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Delete if present:

F:\Program Files\Messenger\quzase.dll
F:\PROGRA~1\Ofb11
F:\WINDOWS\SYSTEM32\winmyy32.dll
F:\WINDOWS\system32\ssqrrpq.dll
F:\WINDOWS\system32\yng.dll

Empty Recycle Bin
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
For Internet Explorer 4.x - 6.x
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Please post:
  1. AVG Anti-Spyware log
  2. A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.
 
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:32:09 PM 5/8/2007

+ Scan result:



C:\Documents and Settings\Administrator\Local Settings\Temp\180sainstallernusalm.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\res69.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINNT\cxtpls_loader.exe -> Adware.Apropos : Cleaned with backup (quarantined).
C:\WINNT\Buddy.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
F:\Program Files\WinBudget\bin\crap.1168987691.old -> Adware.BHO : Cleaned with backup (quarantined).
F:\Program Files\WinBudget\bin\matrix.dll -> Adware.BHO : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP264\A0050794.dll -> Adware.BHO : Cleaned with backup (quarantined).
F:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
F:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINNT\Temp\akcore.dll -> Adware.Coreak : Cleaned with backup (quarantined).
C:\WINNT\system32\akcore.dll -> Adware.Coreak : Cleaned with backup (quarantined).
C:\WINNT\system32\docore.dll -> Adware.Couponage : Cleaned with backup (quarantined).
C:\WINNT\system32\dosync.dll -> Adware.Couponage : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\1.dat -> Adware.ISearch : Cleaned with backup (quarantined).
C:\WINNT\system32\izxxzdsafsafczxcr.exe -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\B27577926\build2.exe -> Adware.MDH : Cleaned with backup (quarantined).
F:\Documents and Settings\Manimillion\NNSKYA638.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP264\A0050719.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINNT\system32\tаskmgr.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
F:\Documents and Settings\Manimillion\My Documents\Оracle\ѕνchost.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
F:\HJT\backups\backup-20070508-141255-523.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051061.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Program Files\VBouncer\BundleOuter.EXE -> Adware.VirtualBouncer : Cleaned with backup (quarantined).
F:\HJT\backups\backup-20070508-141255-737.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051060.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
F:\VundoFix Backups\ssqrrpq.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr7F6E\MediaAccess.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\temp\ja.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP258\A0047007.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\Program Files\AAALOGO\lde.exe -> Backdoor.Huai : Cleaned with backup (quarantined).
F:\WINDOWS\system32\perfc000.dat -> Backdoor.Small.os : Cleaned with backup (quarantined).
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MHVKL8VI\coolmomsplace[1].htm -> Downloader.Agent.ab : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP258\A0046999.dll -> Downloader.Agent.aqk : Cleaned with backup (quarantined).
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
F:\WINDOWS\system32\NeroCheck.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP264\A0050763.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\WINNT\Temp\aklsp.dll -> Downloader.Agent.br : Cleaned with backup (quarantined).
C:\WINNT\system32\akupd.dll -> Downloader.Agent.br : Cleaned with backup (quarantined).
C:\WINNT\Temp\akrules.dll -> Downloader.Agent.bt : Cleaned with backup (quarantined).
C:\WINNT\system32\akrules.dll -> Downloader.Agent.bt : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.1\black.ocx -> Downloader.Agent.ex : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\black.ocx -> Downloader.Agent.ex : Cleaned with backup (quarantined).
C:\WINNT\system32\wldr.dll -> Downloader.Agent.kf : Cleaned with backup (quarantined).
F:\WINDOWS\smanager.7.exe -> Downloader.Alphabet : Cleaned with backup (quarantined).
C:\WINNT\loadclean.exe -> Downloader.Delf.cb : Cleaned with backup (quarantined).
F:\Program Files\Common Files\Yazzle1162OinAdmin.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Del68.tmp -> Downloader.Small.asf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP258\A0047377.exe -> Downloader.Tiny.bn : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\6.dat -> Dropper.Small.ty : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\4.dat -> Dropper.Small.vv : Cleaned with backup (quarantined).
C:\WINNT\SSK_B5.EXE -> Dropper.SurfSide.a : Cleaned with backup (quarantined).
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MHVKL8VI\picsa[1].exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP257\A0046972.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP258\A0047001.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP258\A0047375.exe -> Hijacker.Delf.fj : Cleaned with backup (quarantined).
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CA2CJBXA\go[1].exe -> Hijacker.Delf.fj : Cleaned with backup (quarantined).
F:\SDFix\backups\backups.zip/backups/ms-25.exe -> Hijacker.Delf.fj : Cleaned with backup (quarantined).
F:\SDFix\backups\backups.zip/backups/ms-5.exe -> Hijacker.Delf.fj : Cleaned with backup (quarantined).
F:\SDFix\backups\backups.zip/backups/ms-53.exe -> Hijacker.Delf.fj : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0050949.exe -> Hijacker.Delf.fj : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0050950.exe -> Hijacker.Delf.fj : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0050951.exe -> Hijacker.Delf.fj : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP266\A0050861.dll -> Hijacker.Small.cf : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP264\A0049710.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP264\A0050724.dll -> Logger.BZub.gq : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\7.dat -> Not-A-Virus.Downloader.Win32.Awmcash.a : Cleaned with backup (quarantined).
C:\WINNT\system32\intfsdffdsronsad.exe -> Not-A-Virus.Downloader.Win32.Awmcash.a : Cleaned with backup (quarantined).
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WBHRMQJL\208.101.11[1].htm -> Not-A-Virus.Exploit.HTML.IframeBof : Cleaned with backup (quarantined).
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6JI7ELM3\exploit[1].ani -> Not-A-Virus.Exploit.Win32.IMGANI.l : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP264\A0050810.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
F:\Documents and Settings\LocalService\Cookies\system@stats.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
F:\Documents and Settings\LocalService\Cookies\system@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.cnn[1].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\ManiAzeri\Cookies\maniazeri@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
F:\Documents and Settings\LocalService\Cookies\system@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ie.search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
F:\Documents and Settings\LocalService\Cookies\system@porngraph[1].txt -> TrackingCookie.Porngraph : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
F:\Documents and Settings\LocalService\Cookies\system@toplist[1].txt -> TrackingCookie.Toplist : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
F:\Documents and Settings\LocalService\Cookies\system@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP264\A0050722.exe -> Trojan.Agent : Cleaned with backup (quarantined).
F:\WINDOWS\itpb_7.exe -> Trojan.Agent : Cleaned with backup (quarantined).
F:\Documents and Settings\Manimillion\zippy2.exe -> Trojan.BHO.ab : Cleaned with backup (quarantined).
F:\HJT\backups\backup-20070508-141255-181.dll -> Trojan.BHO.ab : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051059.dll -> Trojan.BHO.ab : Cleaned with backup (quarantined).
C:\WINNT\system32\drivers\delprot.sys -> Trojan.Delprot.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\3.dat -> Trojan.LowZones.y : Cleaned with backup (quarantined).
F:\HJT\backups\backup-20070508-141255-190.dll -> Trojan.OwlF.a : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051062.dll -> Trojan.OwlF.a : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP264\A0050797.exe -> Trojan.Rond : Cleaned with backup (quarantined).
F:\WINDOWS\system32\wtsicc32.exe -> Trojan.Small : Cleaned with backup (quarantined).
F:\Documents and Settings\Manimillion\xx_uslw.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).
C:\WINNT\system32\intronsad.exe -> Trojan.Small.x : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 11:06:19 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\CTHELPER.EXE
F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winmyy32 - winmyy32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
 
Hi

Open HijackThis, click do a system scan only and checkmark this:

O20 - Winlogon Notify: winmyy32 - winmyy32.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.

Please download the following program and save it to your desktop:

http://noahdfear.geekstogo.com/FindAWF.exe

Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.

Post:

- a fresh hijackthis log
- findawf report
 
Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of F:\WINDOWS\SYSTEM32\BAK

07/09/2001 10:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of F:\PROGRA~1\LAVASOFT\AD-AWA~1\BAK

05/25/2005 12:12 PM 517,632 Ad-Watch.exe
1 File(s) 517,632 bytes

Directory of F:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

155648 Jul 9 2001 "C:\WINNT\system32\NeroCheck.exe"
155648 Jul 9 2001 "F:\WINDOWS\system32\bak\NeroCheck.exe"
517632 May 25 2005 "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
517632 May 25 2005 "F:\Program Files\Lavasoft\Ad-Aware SE Professional\bak\Ad-Watch.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Nov 10 2005 "F:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report






Logfile of HijackThis v1.99.1
Scan saved at 2:22:32 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\CTHELPER.EXE
F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
F:\WINDOWS\system32\devldr32.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
 
Hi

Copy text below to Notepad and save it as xxxx.bat (save it as all files, *.*)

@ECHO OFF
move /Y "F:\Program Files\Lavasoft\Ad-Aware SE Professional\bak\Ad-Watch.exe" "F:\Program Files\Lavasoft\Ad-Aware SE Professional"
move /Y "F:\WINDOWS\system32\bak\NeroCheck.exe" "F:\WINDOWS\system32"
move /Y "F:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe" "F:\Program Files\Java\jre1.5.0_06\bin"

It should look like this ->
bat.JPG


(In case you are unsure how to create a bat file, take a look here with screenshots.)

Boot in safe mode

Doubleclick remawf.bat; black dos windows will flash, that's normal.

Reboot

Re-run findawf

Post:

- a fresh hijackthis log
- findawf report
 
Logfile of HijackThis v1.99.1
Scan saved at 5:43:44 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\CTHELPER.EXE
F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\WINDOWS\system32\devldr32.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe






Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of F:\WINDOWS\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of F:\PROGRA~1\LAVASOFT\AD-AWA~1\BAK

0 File(s) 0 bytes

Directory of F:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
 
Hi

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Post:

- a fresh hijackthis log
- kaspersky report
 
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 11, 2007 2:31:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 11/05/2007
Kaspersky Anti-Virus database records: 317744
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 210226
Number of viruses found: 42
Number of infected objects: 68
Number of suspicious objects: 2
Duration of the scan process: 02:00:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Local Settings\Temp\SskUpdater.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.TotalVelocity.v skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\SskUpdater.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.TotalVelocity.aj skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\SskUpdater.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.TotalVelocity.aj skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\SskUpdater.exe/InpB Infected: not-a-virus:AdWare.Win32.TotalVelocity.aj skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\SskUpdater.exe CAB: infected - 4 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051065.ocx Infected: Trojan-Downloader.Win32.Agent.ex skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051066.ocx Infected: Trojan-Downloader.Win32.Agent.ex skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051067.exe Infected: Trojan-Downloader.Win32.Delf.cb skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051068.EXE Infected: Trojan-Dropper.Win32.SurfSide.a skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051069.dll Infected: Trojan-Downloader.Win32.Agent.bt skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051070.dll Infected: Trojan-Downloader.Win32.Agent.bt skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051071.dll Infected: Trojan-Downloader.Win32.Agent.br skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051072.dll Infected: Trojan-Downloader.Win32.Agent.br skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051073.sys Infected: Trojan.Win32.Delprot.a skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051074.exe Infected: Backdoor.Win32.CommInet.s skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051075.dll Infected: Trojan-Downloader.Win32.Agent.kf skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051086.exe Infected: not-a-virus:AdWare.Win32.ISearch.d skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051087.exe/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.g skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051087.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051088.exe Infected: not-a-virus:AdWare.Win32.MDH.e skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051089.exe Infected: not-a-virus:AdWare.Win32.WinAD.at skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051090.EXE/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051090.EXE WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051090.EXE WiseSFX Dropper: infected - 1 skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051091.exe Infected: not-a-virus:AdWare.Win32.BetterInternet skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051092.exe Infected: not-a-virus:AdWare.Win32.Apropos.b skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051093.dll Infected: not-a-virus:AdWare.Win32.Gator.1101 skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051094.dll Infected: not-a-virus:AdWare.Win32.Coreak skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051095.dll Infected: not-a-virus:AdWare.Win32.Coreak skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051096.dll Infected: not-a-virus:AdWare.Win32.Couponage.a skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051097.dll Infected: not-a-virus:AdWare.Win32.Couponage.a skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051098.exe Infected: not-a-virus:AdWare.Win32.PurityScan.be skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051106.exe Infected: not-a-virus:Downloader.Win32.Awmcash.a skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Manimillion\Application Data\Lavasoft\Ad-Aware\Logs\AWEVLOG.txt Object is locked skipped
F:\Documents and Settings\Manimillion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jar-8fea236-5df55636.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
F:\Documents and Settings\Manimillion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jar-8fea236-5df55636.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
F:\Documents and Settings\Manimillion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jar-8fea236-5df55636.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
F:\Documents and Settings\Manimillion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jar-8fea236-5df55636.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
F:\Documents and Settings\Manimillion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jar-8fea236-5df55636.zip ZIP: infected - 4 skipped
F:\Documents and Settings\Manimillion\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
F:\Documents and Settings\Manimillion\dnsersnd.exe Infected: Trojan-Clicker.Win32.Small.cf skipped
F:\Documents and Settings\Manimillion\leeman.exe Infected: Trojan-Downloader.Win32.Agent.bnn skipped
F:\Documents and Settings\Manimillion\Local Settings\Application Data\ApplicationHistory\cli.exe.76111974.ini.inuse Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\History\History.IE5\MSHist012007051120070512\index.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Temp\Perflib_Perfdata_208.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Temp\Perflib_Perfdata_ad8.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Temp\Perflib_Perfdata_af4.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Manimillion\ntuser.dat Object is locked skipped
F:\Documents and Settings\Manimillion\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Manimillion\UserData\index.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP264\A0050729.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0050941.dll Suspicious: Packed.Win32.Morphine.a skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0050948.dll Suspicious: Packed.Win32.Morphine.a skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051056.dll Infected: Trojan.Win32.Agent.qt skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051076.exe Infected: Trojan-PSW.Win32.Small.bs skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051077.exe/data0002 Infected: Trojan.Win32.BHO.ab skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051077.exe/data0004 Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051077.exe NSIS: infected - 2 skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051078.dll Infected: Trojan.Win32.BHO.ab skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051081.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051082.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051083.exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051084.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051099.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051100.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051102.old/EXE-file Infected: not-a-virus:AdWare.Win32.BHO.by skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051102.old Embedded EXE: infected - 1 skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051103.dll Infected: not-a-virus:AdWare.Win32.BHO.by skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051104.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051105.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP270\change.log Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
F:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\drvdon.dll Infected: Trojan.Win32.Agent.qt skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\system32\nacivstr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
F:\WINDOWS\system32\perfc000.dat Infected: Backdoor.Win32.Small.os skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\system32\x.del Infected: Trojan.Win32.Agent.qt skipped
F:\WINDOWS\Temp\Perflib_Perfdata_6dc.dat Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Logfile of HijackThis v1.99.1
Scan saved at 2:32:46 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\CTHELPER.EXE
F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
 
Hi

Delete these:

C:\Documents and Settings\Administrator\Local Settings\Temp\SskUpdater.exe
F:\WINDOWS\system32\drvdon.dll
F:\WINDOWS\system32\nacivstr.dll
F:\WINDOWS\system32\perfc000.dat
F:\WINDOWS\system32\x.del

Empty this folder:

F:\Documents and Settings\Manimillion\Application Data\Sun\Java\Deployment\cache

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
 
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 12, 2007 6:29:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/05/2007
Kaspersky Anti-Virus database records: 318197
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 273865
Number of viruses found: 48
Number of infected objects: 90
Number of suspicious objects: 2
Duration of the scan process: 02:27:26

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051065.ocx Infected: Trojan-Downloader.Win32.Agent.ex skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051066.ocx Infected: Trojan-Downloader.Win32.Agent.ex skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051067.exe Infected: Trojan-Downloader.Win32.Delf.cb skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051068.EXE Infected: Trojan-Dropper.Win32.SurfSide.a skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051069.dll Infected: Trojan-Downloader.Win32.Agent.bt skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051070.dll Infected: Trojan-Downloader.Win32.Agent.bt skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051071.dll Infected: Trojan-Downloader.Win32.Agent.br skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051072.dll Infected: Trojan-Downloader.Win32.Agent.br skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051073.sys Infected: Trojan.Win32.Delprot.a skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051074.exe Infected: Backdoor.Win32.CommInet.s skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051075.dll Infected: Trojan-Downloader.Win32.Agent.kf skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051086.exe Infected: not-a-virus:AdWare.Win32.ISearch.d skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051087.exe/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.g skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051087.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051088.exe Infected: not-a-virus:AdWare.Win32.MDH.e skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051089.exe Infected: not-a-virus:AdWare.Win32.WinAD.at skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051090.EXE/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051090.EXE WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051090.EXE WiseSFX Dropper: infected - 1 skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051091.exe Infected: not-a-virus:AdWare.Win32.BetterInternet skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051092.exe Infected: not-a-virus:AdWare.Win32.Apropos.b skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051093.dll Infected: not-a-virus:AdWare.Win32.Gator.1101 skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051094.dll Infected: not-a-virus:AdWare.Win32.Coreak skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051095.dll Infected: not-a-virus:AdWare.Win32.Coreak skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051096.dll Infected: not-a-virus:AdWare.Win32.Couponage.a skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051097.dll Infected: not-a-virus:AdWare.Win32.Couponage.a skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051098.exe Infected: not-a-virus:AdWare.Win32.PurityScan.be skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051106.exe Infected: not-a-virus:Downloader.Win32.Awmcash.a skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\A0061514.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.TotalVelocity.v skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\A0061514.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.TotalVelocity.aj skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\A0061514.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.TotalVelocity.aj skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\A0061514.exe/InpB Infected: not-a-virus:AdWare.Win32.TotalVelocity.aj skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\A0061514.exe CAB: infected - 4 skipped
C:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\change.log Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Manimillion\Application Data\Lavasoft\Ad-Aware\Logs\AWEVLOG.txt Object is locked skipped
F:\Documents and Settings\Manimillion\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\ActiveXComponent.class-2cd8806b-26526179.class Infected: Trojan.Win32.Diamin.js skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-4870c121.zip/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-4870c121.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-4870c121.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-4870c121.zip ZIP: infected - 3 skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-241dc523.zip/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-241dc523.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-241dc523.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-241dc523.zip ZIP: infected - 3 skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-367f7d2e-146d9b28.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-367f7d2e-146d9b28.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-367f7d2e-146d9b28.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
F:\Documents and Settings\Manimillion\Desktop\siyavesh\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-367f7d2e-146d9b28.zip ZIP: infected - 3 skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Documents and Settings\Manimillion\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
F:\Documents and Settings\Manimillion\dnsersnd.exe Infected: Trojan-Clicker.Win32.Small.cf skipped
F:\Documents and Settings\Manimillion\leeman.exe Infected: Trojan-Downloader.Win32.Agent.bnn skipped
F:\Documents and Settings\Manimillion\Local Settings\Application Data\ApplicationHistory\cli.exe.76111974.ini.inuse Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Temp\Perflib_Perfdata_52c.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Temp\Perflib_Perfdata_b28.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Temp\Perflib_Perfdata_b64.dat Object is locked skipped
F:\Documents and Settings\Manimillion\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Manimillion\ntuser.dat Object is locked skipped
F:\Documents and Settings\Manimillion\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Nima\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\8DQR01UF\mshlp32[1].htm Infected: Trojan-Dropper.Win32.Agent.atf skipped
F:\Nima\Documents and Settings\Nima .NIMA\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Nima\Documents and Settings\Nima .NIMA\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Nima\Documents and Settings\Nima .NIMA\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Nima\Documents and Settings\Nima .NIMA\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
F:\Nima\Documents and Settings\Nima .NIMA\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
F:\Nima\Documents and Settings\Nima .NIMA\Local Settings\Application Data\Identities\{4EDD27B2-1F73-4052-AC21-55338E3E3183}\Microsoft\Outlook Express\Deleted Items.dbx/[From "postcard.com" <postcard@postcard.com>][Date Tue, 28 Mar 2006 07:38:24 -0500]/html Infected: Trojan.HTML.PCard.l skipped
F:\Nima\Documents and Settings\Nima .NIMA\Local Settings\Application Data\Identities\{4EDD27B2-1F73-4052-AC21-55338E3E3183}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 1 skipped
F:\Nima\Documents and Settings\Nima .NIMA\Local Settings\Application Data\Identities\{4EDD27B2-1F73-4052-AC21-55338E3E3183}\Microsoft\Outlook Express\Inbox.dbx/[From "PayPal Services" <services@paypal.com>][Date Fri, 10 Mar 2006 23:54:11 +0500]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.m skipped
F:\Nima\Documents and Settings\Nima .NIMA\Local Settings\Application Data\Identities\{4EDD27B2-1F73-4052-AC21-55338E3E3183}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 1 skipped
F:\Nima\Documents and Settings\Nima .NIMA\Local Settings\Temp\SHNT288.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\Nima\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP264\A0050729.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0050941.dll Suspicious: Packed.Win32.Morphine.a skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0050948.dll Suspicious: Packed.Win32.Morphine.a skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051056.dll Infected: Trojan.Win32.Agent.qt skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051076.exe Infected: Trojan-PSW.Win32.Small.bs skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051077.exe/data0002 Infected: Trojan.Win32.BHO.ab skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051077.exe/data0004 Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051077.exe NSIS: infected - 2 skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051078.dll Infected: Trojan.Win32.BHO.ab skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051081.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051082.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051083.exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051084.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051099.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051100.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051102.old/EXE-file Infected: not-a-virus:AdWare.Win32.BHO.by skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051102.old Embedded EXE: infected - 1 skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051103.dll Infected: not-a-virus:AdWare.Win32.BHO.by skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051104.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP267\A0051105.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\A0054486.exe Infected: Trojan.Win32.Agent.xk skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\A0054540.sys Infected: Backdoor.Win32.Haxdoor.ii skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\A0054541.sys Infected: Backdoor.Win32.Haxdoor.ii skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\A0061515.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\A0061516.dll Infected: Trojan.Win32.Agent.qt skipped
F:\System Volume Information\_restore{795D6D6C-833B-4800-8438-A57CF080AC85}\RP274\change.log Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
 
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
F:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\system32\perfc000.dat Infected: Backdoor.Win32.Small.os skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\Temp\Perflib_Perfdata_5f8.dat Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Logfile of HijackThis v1.99.1
Scan saved at 6:31:49 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\CTHELPER.EXE
F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\MSN Messenger\usnsvc.exe
F:\WINDOWS\system32\ntvdm.exe
F:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: F:\WINDOWS\system32\perfc000.dat
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
 
Hi

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Delete these mails:

F:\Nima\Documents and Settings\Nima .NIMA\Local Settings\Application Data\Identities\{4EDD27B2-1F73-4052-AC21-55338E3E3183}\Microsoft\Outlook Express\Deleted Items.dbx/[From "postcard.com" <postcard@postcard.com>][Date Tue, 28 Mar 2006 07:38:24 -0500]/html Infected: Trojan.HTML.PCard.l skipped
F:\Nima\Documents and Settings\Nima .NIMA\Local Settings\Application Data\Identities\{4EDD27B2-1F73-4052-AC21-55338E3E3183}\Microsoft\Outlook Express\Inbox.dbx/[From "PayPal Services" <services@paypal.com>][Date Fri, 10 Mar 2006 23:54:11 +0500]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.m skipped

Please download the Killbox.
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

F:\WINDOWS\system32\perfc000.dat
F:\Documents and Settings\Manimillion\dnsersnd.exe
F:\Documents and Settings\Manimillion\leeman.exe
F:\Nima\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\8DQR01UF\mshlp32[1].htm
F:\Nima\Documents and Settings\Nima .NIMA\Local Settings\Temp\SHNT288.exe

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Empty this folder:

C:\!KillBox

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
 
Logfile of HijackThis v1.99.1
Scan saved at 2:54:00 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\CTHELPER.EXE
F:\WINDOWS\system32\devldr32.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
F:\Program Files\MSN Messenger\usnsvc.exe
F:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38758BC7-03BB-4FC5-9C39-491B9F333F11}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{6997802A-5F40-4112-87D9-EAAE31AE4577}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{9691CF80-9A9E-45E9-9E4A-B666AF7DFDC9}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7CDEE57-8186-4157-9013-77B7208A9F4D}: NameServer = 194.54.90.226
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
 
You must log in or register to reply here.
Back
Top