I need help...can't get rid of viruses!

[Mysticbear]

I have contracted a virus through MSN Messenger and I can't get rid of it.
I have used the following virus scanners:
Spy Bot s&d
Spy Sweeper-Webroot
Ad-Aware
All of these have been unable to completely clear my computer of whatever it is that is not right.
When I do the Spy Bot scan it says that I have smitfraud.C and Microsoft.Windows.Redirectedhosts, NewDotNet, Avenue A, DoubleClick, CoreMetrics and AV-Gold but it won't fix the problem
I can not remember what it is telling me for Spy Sweeper or Ad Aware.
In my add or remove programs list it also said that I had Outerinfo...I got rid of it through HiJack.This(won't let me spell the whole word or my window shuts down) as well as Bar888
Some help would be greatly appreciated as I am a virus dummy!
Thank you in advance!
As well there is an icon that looks like mine on my desktop that says "Click to find and Fix errors"

 

[Mysticbear]

Oh yeah

I also have had some luck with hijack.this and have been able to get a log I am not sure if it is right or not.
Also I tried to do an online scan and it won't let me visit any of the sites so I was unable to do so.
here is the hijack.this Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:54:19 PM, on 1/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchosts.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\dyfrism\winlogon.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RACLE~1\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\??pPatch\?hkdsk.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - URLSearchHook: (no name) - {781E9D6F-78DD-5F21-DC7D-7A129544E6CF} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\System32\dyfrism\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\dyfrism\winlogon.exe
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBHelper - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8e533859-9309-4333-bab7-f3de4a5942c3} - C:\WINDOWS\system32\dbme32.dll (file missing)
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\WUTemp\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ht5nkgki] C:\WINDOWS\System32\ht5nkgki.exe
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{CC2C697E-0821-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0821-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [{CC2C697E-0822-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Bano] "C:\WINDOWS\System32\RACLE~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Aqsz] C:\WINDOWS\??pPatch\?hkdsk.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O20 - Winlogon Notify: dbme32 - dbme32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: 01Apache - Unknown owner - C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe" --ntservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

[Mysticbear]

Tried this:

I tried this removal tool while I was waiting for a response. I figured it might help out some later on in this game!!!

Here is the log from the Smitfraudfix.exe

SmitFraudFix v2.132

Scan done at 21:46:47.73, Mon 01/01/2007
Run from C:\Documents and Settings\Mom and Dad\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\keyboard1.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\svchosts.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mom and Dad


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mom and Dad\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MOMAND~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End




I hope that this helps and doesn't mess anything else up!! Thanks

 

[Mysticbear]

Just something else i tried

I noticed that someone had the same problem as me and it has taken a while for me to get a reply so i have also tried this as suggeste to Giltrap by Mr_Jak3


Go to virustotal.com
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\svchosts.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


This is the log I got from virustotal:
STATUS: FINISHEDComplete scanning result of "svchosts.exe", received in VirusTotal at 01.03.2007, 20:11:01 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 01.03.2007 TR/Dldr.Agent.bca.11
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 01.03.2007 Generic2.MHF
BitDefender 7.2 01.03.2007 Adware.Softomate.Z
CAT-QuickHeal 8.00 01.03.2007 no virus found
ClamAV devel-20060426 01.03.2007 no virus found
DrWeb 4.33 01.03.2007 no virus found
eSafe 7.0.14.0 01.02.2007 no virus found
eTrust-InoculateIT 23.73.103 01.03.2007 no virus found
eTrust-Vet 30.3.3299 01.03.2007 no virus found
Ewido 4.0 01.03.2007 Downloader.Agent.bca
Fortinet 2.82.0.0 01.03.2007 W32/Agent.BCA!tr.dldr
F-Prot 3.16f 01.02.2007 no virus found
F-Prot4 4.2.1.29 01.03.2007 no virus found
Ikarus T3.1.0.27 01.03.2007 no virus found
Kaspersky 4.0.2.24 01.03.2007 Trojan-Downloader.Win32.Agent.bca
McAfee 4931 01.03.2007 Matcash
Microsoft 1.1904 01.03.2007 no virus found
NOD32v2 1954 01.03.2007 no virus found
Norman 5.80.02 12.31.2007 W32/Softomate.ES.dropper
Panda 9.0.0.4 01.03.2007 Adware/Maxifiles
Prevx1 V2 01.03.2007 Trojan.SystemPoser
Sophos 4.13.0 01.02.2007 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.141 01.01.2007 no virus found
UNA 1.83 01.03.2007 no virus found
VBA32 3.11.1 01.03.2007 no virus found
VirusBuster 4.3.19:9 01.03.2007 no virus found


Aditional Information
File size: 36864 bytes
MD5: 7b69c00ba9f072dd06d61411fc09ded5
SHA1: c080169d9b2824399e3dd7a9678487e67841f4c5
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 36864 bytes.

[ Changes to filesystem ]
* Deletes file C:WINDOWS{837F873E-0000-1044--popo0000}.
* Creates directory C:WINDOWS{837F873E-0000-1044--popo0000}.
* Creates file C:WINDOWS{837F873E-0000-1044--popo0000}directorexe.lzma.
* Creates file C:WINDOWS{837F873E-0000-1044--popo0000}Update.exe.
* Deletes file C:WINDOWS{837F873E-0000-1044--popo0000}directorexe.lzma.
* Deletes file C:WINDOWS{837F873E-0000-1044--popo0000}directordll.lzma.

[ Changes to registry ]
* Creates key "HKLMSoftwareHARDWAREDESCRIPTIONSystemCentralProcessor
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=42b766636399




and the log i got from combofix:

Mom and Dad - 07-01-03 11:15:42.45 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Mom and Dad\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\taskkill.com
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\{3C2C697E-0821-1033-0421-041028030001}
C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}
C:\Program Files\Common Files\{CC2C697E-0821-1033-0421-041028030001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\PPATCH~1
C:\QooBox\Purity\WINDOWS\PPATCH~1\?hkdsk.exe
C:\QooBox\Purity\WINDOWS\system32\RACLE~1
C:\QooBox\Purity\WINDOWS\system32\RACLE~1\explorer.exe
C:\QooBox\Purity\WINDOWS\system32\RACLE~1\?racle


((((((((((((((((((((((((((((((( Files Created from 2006-12-03 to 2007-01-03 ))))))))))))))))))))))))))))))))))


2007-01-03 11:19 <DIR> d-------- C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}
2007-01-01 21:46 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-01 21:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-01 21:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-01 21:46 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-01 21:46 3,670 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-01 21:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-01 21:46 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-01 19:34 <DIR> d-------- C:\Program Files\HJT
2007-01-01 16:04 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2007-01-01 16:04 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-01-01 16:04 15,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-01-01 16:04 15,360 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-01-01 16:04 14,848 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-01-01 16:04 122,368 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-01-01 16:04 <DIR> d-------- C:\Program Files\Webroot
2007-01-01 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-01-01 16:02 <DIR> d-------- C:\Documents and Settings\Mom and Dad\Application Data\Webroot
2006-12-31 01:00 <DIR> d--h----- C:\Program Files\Common Files\Uninstall Information
2006-12-31 00:30 <DIR> d-------- C:\Program Files\PeDevice
2006-12-30 20:59 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-30 20:59 <DIR> d-------- C:\Documents and Settings\Mom and Dad\Application Data\Lavasoft
2006-12-30 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2006-12-30 20:57 2 --a------ C:\WINDOWS\system32\wnsapiit.exe
2006-12-30 20:57 <DIR> d-------- C:\Program Files\Outerinfo
2006-12-30 20:27 <DIR> d-------- C:\Program Files\Ipwindows
2006-12-30 20:25 92,485 --a------ C:\gp.exe
2006-12-30 20:25 36,864 --a------ C:\WINDOWS\system32\svchosts.exe
2006-12-30 20:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-30 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-30 18:12 <DIR> d--hs---- C:\WINDOWS\system32\dyfrism
2006-12-23 09:12 <DIR> d-------- C:\Program Files\Santa
2006-12-12 06:43 183,808 --a-s---- C:\WINDOWS\NDNuninstall7_48.exe
2006-12-03 20:50 <DIR> d-------- C:\Program Files\QuickTime
2006-12-03 20:49 <DIR> d-------- C:\Program Files\iTunes
2006-12-03 20:48 38,229 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-03 11:19 -------- d-------- C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}
2007-01-03 11:19 -------- d-------- C:\Program Files\Common Files
2007-01-01 16:27 -------- d-------- C:\Program Files\Windows NT
2007-01-01 16:27 -------- d-------- C:\Program Files\Windows Media Player
2007-01-01 16:27 -------- d-------- C:\Program Files\Internet Explorer
2006-12-30 20:58 -------- d-------- C:\Program Files\Google
2006-12-30 20:38 -------- d-a-s---- C:\Program Files\NewDotNet
2006-12-30 20:38 -------- d-------- C:\Program Files\Free Offers from Freeze.com
2006-12-23 19:41 1226 --a------ C:\Documents and Settings\Mom and Dad\Application Data\AdobeDLM.log
2006-12-03 20:47 -------- d-------- C:\Program Files\iPod


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Bano"="\"C:\\WINDOWS\\System32\\RACLE~1\\explorer.exe\" -vt yazb"
"Aqsz"="C:\\WINDOWS\\??pPatch\\?hkdsk.exe"
"swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.2480\\GoogleToolbarNotifier.exe\""
"winlogon"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"SoundMan"="SOUNDMAN.EXE"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"QuickFinder Scheduler"="\"C:\\WUTemp\\Programs\\QFSCHD100.EXE\""
"ViewMgr"="\"C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe\""
"ht5nkgki"="C:\\WINDOWS\\System32\\ht5nkgki.exe"
"AcctMgr"="\"C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe\" /startup"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"{CC2C697E-0821-1033-0421-041028030001}"="\"C:\\Program Files\\Common Files\\{CC2C697E-0821-1033-0421-041028030001}\\Update.exe\" te-110-12-0000282"
"{CC2C697E-0822-1033-0421-041028030001}"="\"C:\\Program Files\\Common Files\\{CC2C697E-0822-1033-0421-041028030001}\\Update.exe\" te-110-12-0000282"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"winlogon"=""
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AcctMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostStartTrayApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dbme32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec Drmc.job
C:\WINDOWS\tasks\wrSpySweeper_66D7702AC3264E8FAE2BDA71DAFD43F6.job

Completion time: 07-01-03 11:19:52.17
C:\ComboFix.txt ... 07-01-03 11:19
C:\ComboFix2.txt ... 07-01-03 11:14

Hope this helps some anyways!

 

[Mysticbear]

here is an update hijack.this log

Logfile of HijackThis v1.99.1
Scan saved at 11:44:36 AM, on 1/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\WINDOWS\System32\svchosts.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dyfrism\winlogon.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}\Update.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - URLSearchHook: (no name) - {781E9D6F-78DD-5F21-DC7D-7A129544E6CF} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\System32\dyfrism\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\dyfrism\winlogon.exe
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\WUTemp\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ht5nkgki] C:\WINDOWS\System32\ht5nkgki.exe
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{CC2C697E-0821-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0821-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [{CC2C697E-0822-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Bano] "C:\WINDOWS\System32\RACLE~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Aqsz] C:\WINDOWS\??pPatch\?hkdsk.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: dbme32 - dbme32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: 01Apache - Unknown owner - C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe" --ntservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

[Mr_JAk3]

Hi and welcome to the Forums

You got quite nice collection of infections there...

Please Download LSPFix from http://www.cexx.org/lspfix.htm
Don't use it yet.

You should print these instructions or save these to a text file. Follow these instructions carefully.

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable SpySweeper's realtime protection.

• Open Spysweeper and click on Options
• Choose Program Options and uncheck "load at windows startup".
• On the left click "shields" and then uncheck everything.
• Uncheck "home page shield".
• Uncheck "automatically restore default without notification".
• Exit the program.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Uncheck "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:
NewDotNet
New.Net
Viewpoint
Free Offers from Freeze.com
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
MarketScore
Relevant Knowledge

and any other programs you didn't install or don't recognize - if your not sure please ask first

Restart the computer.

===========
If you can't access the internet after the reboot, run LSPFIX. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and place all listings of mkls.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button.

Then Reboot and you should be able to connect to the internet.
==========

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
Update.exe
svchosts.exe <-- svchostS, svchost is legitimate

Disable bad services

• Start
• Run
• Type services.msc to the field and press enter.
• A window opens, scroll down to COM+ Messages
• Rightclick it and choose Stop
• Then choose Properties
• Set Startup to Disabled
• Click Apply and OK.

Then, open HijackThis.

• Open the Misc Tools section
• Delete an NT service
• Copy the following line to the box and press OK; COM+ Messages
• Answer Yes
• Close HIjackThis

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - URLSearchHook: (no name) - {781E9D6F-78DD-5F21-DC7D-7A129544E6CF} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\System32\dyfrism\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\dyfrism\winlogon.exe
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [ht5nkgki] C:\WINDOWS\System32\ht5nkgki.exe
O4 - HKLM\..\Run: [{CC2C697E-0821-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0821-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [{CC2C697E-0822-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Bano] "C:\WINDOWS\System32\RACLE~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Aqsz] C:\WINDOWS\??pPatch\?hkdsk.exe
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O20 - Winlogon Notify: dbme32 - dbme32.dll (file missing)

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\wnsapiit.exe
C:\WINDOWS\System32\ht5nkgki.exe
C:\gp.exe
C:\WINDOWS\system32\svchosts.exe

Go to the My Computer and delete the following folders (if present):
C:\Program Files\MarketScore
C:\Program Files\Relevant Knowledge
C:\Program Files\Outerinfo
C:\Program Files\Ipwindows
C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}
C:\Program Files\NewDotNet
C:\Program Files\Free Offers from Freeze.com
C:\WINDOWS\System32\dyfrism
C:\Program Files\Viewpoint

Run ATF Cleaner

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
    
• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

We'll reset your hosts file. If you used a customized hosts file you need to set that again after the cleaning. Download free! Hoster v3.5 from here: http://www.funkytoad.com/content/view/13/
When you have it click on the button to "Restore Microsoft's Hosts File", follow any prompts.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

 

[tashi]

Mysticbear, still with us?

 

[Mysticbear]

Yeah...I am still trying to figure this out....Hopefully tomorrow I will have it done!

 

[Mysticbear]

It will not let me go to this site:
http://www.ewido.net/en/download/
I dont' want to accidently download something else so is there another link for AVG Anit Spyware?
Thank you

 

[Mr_JAk3]

Hi

Please see if this link works --> AVG Anti-Spyware 7.5 Free

Let me know :bigthumb:

 

[Mysticbear]

Ahhhh Man......

Nope that one is not working!
It just comes up as
Cannot find server-Microsoft Internet Explorer
and on the acutal page itself it says
THe page connot be displayed!

 

[Mysticbear]

Oh my gosh!!!

I found a back door to downloading AVG Anti-Spyware
But my screen keeps closing on me everytime that I try to
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to COM+ Messages
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK

It won't let me Set Startup to Disabled...It just keeps closing on me before I can even find where to click it!!!

 

[Mr_JAk3]

Ok...you still have nasties there...Let's try the following

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Run a scan with Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, you should now mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found
  
• If so, click it and then click the next icon right below and select Move incurable
• After the scan, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot the computer in Normal Mode,
• Post the Cure-it report and a fresh HijackThis log

 

[Mysticbear]

Getting somewhere at least......I think!!??!?!

Here is the updated Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:34:48 AM, on 1/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R3 - URLSearchHook: (no name) - {781E9D6F-78DD-5F21-DC7D-7A129544E6CF} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\System32\dyfrism\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\dyfrism\winlogon.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\WUTemp\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ht5nkgki] C:\WINDOWS\System32\ht5nkgki.exe
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: 01Apache - Unknown owner - C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe" --ntservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Here is the log from Dr.Web Cureit:

01_-_Eight_easy_steps.mp3;C:\Documents and Settings\Megan\Local Settings\Temp;Trojan.DownLoader.1729;Deleted.;
blake shelton-blake shelton-some beach.mp3;C:\Documents and Settings\Megan\Local Settings\Temp;Trojan.DownLoader.1729;Deleted.;
p2psetup.exe\data001;C:\Documents and Settings\Megan\Local Settings\Temp\p2psetup.exe;Adware.PeerNet;;
p2psetup.exe;C:\Documents and Settings\Megan\Local Settings\Temp;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\Mom and Dad\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Mom and Dad\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Blake Shelton - Blake Shelton - 5 - Ol' Red.wma;C:\My Downloads;Trojan.DownLoader.1729;Deleted.;
Blake Shelton - Ol' Red - 5.wma;C:\My Downloads;Trojan.DownLoader.1729;Deleted.;
blake shelton-some beach-blake shelton.mp3;C:\My Downloads;Trojan.DownLoader.1729;Deleted.;
Gonna Be My Girl.wma;C:\My Downloads;Trojan.DownLoader.1729;Deleted.;
rdesktop.exe;C:\Program Files\01 Com\I'm InTouch\BIN;Probably DLOADER.Trojan;Incurable.Moved.;
adwarefilter-log.txt;C:\Program Files\AdwareFilter-savelogs;Probably MACRO.SCRIPT.IRC.WORM.Virus;Incurable.Moved.;
GoogleUpdaterInstallMgr.exe;C:\Program Files\Google\Google Updater\2.0.711.37800;Probably DLOADER.Trojan;Incurable.Moved.;
ipwins.dll;C:\Program Files\Ipwindows;Adware.Maxifiles;Incurable.Moved.;
ipwins.exe;C:\Program Files\Ipwindows;Adware.Maxifiles;Incurable.Moved.;
OemjiPls.dll;C:\Program Files\Oemji\OemjiSearchPlus;Adware.IEFriend;Incurable.Moved.;
NDNuninstall6_98.exe;C:\WINDOWS;Adware.NewDotNet;Incurable.Moved.;
NDNuninstall7_48.exe;C:\WINDOWS;Adware.NewDotNet;Incurable.Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
__delete_on_reboot__s_w_i_n_r_p_e_x_._e_x_e_;C:\WINDOWS\system32;Adware.ZenoSearch;Incurable.Moved.;


Also....It wouldn't let me save the scan report for AVG. I am unsure as why but the AVG example that you have on the screen looks nothing like the one that I have downloaded.
Also this is a list of the Program Files.. ..Some of them look suspicious(SP?) So if you could take a look and tell me if I should delete some that would be great!
Thank you!
found.000-----folder
boot.ini.bak------bak file
Config----Systemfile
NT Detect---------MS DOS Application
ntldr------system file
pagefile-------system file
rapport-----notepad
UNWISE------Icon that looks like a trash can

The above are one in the Crive and the one below are in the Program Files in Crive and are all folders


OICOM-----Folder
Netmeeting------Folder
NoAdware3
PeDevice
Xldfoyy
Windows NT
Yaplock
noadware------is a computer software Icon!

 

[Mr_JAk3]

Hi

Please don't delete anything yet, most of those were legitimate.

We'll check one thing before continuing:

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.majorgeeks.com/GMER_d5198.html

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

 

[Mysticbear]

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-15 08:29:22
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT 85399718 ZwAllocateVirtualMemory
SSDT 853B48B0 ZwCreateKey
SSDT 85399C40 ZwCreateProcess
SSDT 85399BC8 ZwCreateProcessEx
SSDT 853999E8 ZwCreateThread
SSDT 8537D0A8 ZwDeleteKey
SSDT 85399CB8 ZwDeleteValueKey
SSDT 85399790 ZwQueueApcThread
SSDT 85399628 ZwReadVirtualMemory
SSDT 8538D0A8 ZwRenameKey
SSDT 85399880 ZwSetContextThread
SSDT 85399DA8 ZwSetInformationKey
SSDT 85399AD8 ZwSetInformationProcess
SSDT 853998F8 ZwSetInformationThread
SSDT 85399D30 ZwSetValueKey
SSDT 85399A60 ZwSuspendProcess
SSDT 85399808 ZwSuspendThread
SSDT 85399B50 ZwTerminateProcess
SSDT 85399970 ZwTerminateThread
SSDT 853996A0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!ZwCallbackReturn + 2048 804FBD5C 8 Bytes [ 40, 9C, 39, 85, C8, 9B, 39, ... ]
.text ntoskrnl.exe!ZwCallbackReturn + 231C 804FC030 8 Bytes [ D8, 9A, 39, 85, F8, 98, 39, ... ]
.text ntoskrnl.exe!ZwCallbackReturn + 2380 804FC094 8 Bytes [ 60, 9A, 39, 85, 08, 98, 39, ... ]
.text ntoskrnl.exe!ZwCallbackReturn + 2390 804FC0A4 8 Bytes [ 50, 9B, 39, 85, 70, 99, 39, ... ]
.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034019
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 72033FC8

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1900] kernel32.dll!CreateThread + 18 77E7BE6B 4 Bytes [ C1, 2F, 5D, 88 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!NlsMbOemCodePageTag + FFF8D928 77F51000 53 Bytes [ 76, F2, FF, FF, 68, E1, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!NlsMbOemCodePageTag + FFF8D960 77F51038 65 Bytes [ 98, 2E, 00, FF, AD, 3F, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!NlsMbOemCodePageTag + FFF8D9A2 77F5107A 1 Byte [ 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!NlsMbOemCodePageTag + FFF8D9A4 77F5107C 61 Bytes [ 89, 23, 00, DF, BD, 4B, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!NlsMbOemCodePageTag + FFF8D9E2 77F510BA 1 Byte [ 00 ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrDisableThreadCalloutsForDll + 50 77F55484 96 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrDisableThreadCalloutsForDll + B1 77F554E5 146 Bytes [ 14, 4C, EB, 16, 45, DA, 12, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrDisableThreadCalloutsForDll + 144 77F55578 121 Bytes [ FF, FF, FF, FF, FF, FF, FD, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrDisableThreadCalloutsForDll + 1BE 77F555F2 15 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrDisableThreadCalloutsForDll + 1CF 77F55603 4 Bytes [ FF, FF, FF, FF ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlNormalizeProcessParams + 4D 77F556AF 64 Bytes [ 74, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlInitNlsTables + A 77F556F0 9 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlInitNlsTables + 14 77F556FA 9 Bytes [ FF, FF, FF, FF, 74, 74, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlInitNlsTables + 1E 77F55704 208 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlInitializeCriticalSection + 3 77F557D5 106 Bytes JMP 56C717C6
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlInitializeCriticalSection + 6E 77F55840 67 Bytes [ FF, FF, FF, FA, F9, FA, FA, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlCreateHeap + 33 77F55884 2 Bytes [ FF, FF ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlCreateHeap + 36 77F55887 3 Bytes [ FF, FF, FF ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlCreateHeap + 3A 77F5588B 72 Bytes [ FF, FF, FF, 74, 74, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlCreateHeap + 83 77F558D4 92 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlCreateHeap + E0 77F55931 165 Bytes [ FF, FF, FF, F7, E7, EF, BC, ... ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrLoadDll + BE 77F56FD9 12 Bytes [ FF, FF, FF, FF, FF, 74, 74, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrLoadDll + CB 77F56FE6 76 Bytes [ FF, D1, A0, FF, C6, 7B, F1, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrLoadDll + 118 77F57033 67 Bytes [ FE, FF, FF, FC, D8, B3, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrLoadDll + 15D 77F57078 10 Bytes [ FF, FF, FF, FF, FF, FF, 74, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrLoadDll + 168 77F57083 2 Bytes [ FF, FF ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrGetDllHandle + 89 77F57217 78 Bytes [ FF, FF, ED, F1, FB, 99, BE, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrGetDllHandle + D8 77F57266 97 Bytes [ FF, FF, FF, FC, FC, FD, A1, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrGetDllHandle + 13A 77F572C8 125 Bytes [ 20, 58, FC, 1E, 51, EB, 1B, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrGetDllHandle + 1B8 77F57346 195 Bytes [ CA, 96, EC, ED, EB, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrGetDllHandle + 27C 77F5740A 25 Bytes [ FF, 1B, 54, F7, 24, 54, E6, ... ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlAllocateHeap + 17 77F57BC5 278 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlAllocateHeap + 12E 77F57CDC 25 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlAllocateHeap + 148 77F57CF6 10 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlAllocateHeap + 153 77F57D01 6 Bytes [ FF, FF, FF, FF, FF, FF ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlAllocateHeap + 15B 77F57D09 54 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlFreeHeap + 87 77F58AC5 10 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlFreeHeap + 94 77F58AD2 16 Bytes [ 00, 00, 30, AC, 30, FF, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlFreeHeap + A5 77F58AE3 52 Bytes [ 00, BA, 8C, 7D, FF, E4, C3, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlFreeHeap + DA 77F58B18 5 Bytes [ 10, 70, 10, FF, 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlFreeHeap + E1 77F58B1F 67 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlLockHeap 77F59726 55 Bytes [ 00, 00, 00, 00, 00, 00, EC, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlLockHeap + 39 77F5975F 3 Bytes [ 00, 00, 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlLockHeap + 3E 77F59764 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlLockHeap + 45 77F5976B 13 Bytes [ 00, 00, 00, 00, 00, 77, 5B, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlLockHeap + 53 77F59779 40 Bytes [ 5B, 4B, 10, 00, 00, 00, 00, ... ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlUnlockHeap + 2D 77F59817 10 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlUnlockHeap + 39 77F59823 66 Bytes [ 00, 2F, 5C, E3, 10, 2C, 5C, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlUnlockHeap + 7E 77F59868 47 Bytes [ 00, 66, 00, EF, 57, B5, 6C, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlUnlockHeap + AE 77F59898 6 Bytes [ 00, 00, 00, 00, 00, 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlUnlockHeap + B5 77F5989F 12 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlSetCurrentDirectory_U + C 77F598AC 60 Bytes [ F1, BE, 93, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlSetCurrentDirectory_U + 4A 77F598EA 23 Bytes [ 00, 00, 00, 00, 00, 00, 77, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlSetCurrentDirectory_U + 64 77F59904 25 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlSetCurrentDirectory_U + 7F 77F5991F 3 Bytes [ 00, 00, 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlSetCurrentDirectory_U + 84 77F59924 50 Bytes [ E3, B2, 8D, FF, FF, FF, FF, ... ]

 

[Mr_JAk3]

Hi again, we'll continue

GMER log was big, I've edited the unnecessary parts out.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Lspfix. Extract(unzip) it to its own folder. Disconnect from the internet, and close all browser windows. Run LSPFix. Click the "I know what I'm doing" button. In the left hand pane, hilite all instances of mkls.dll (and nothing else), move them to the "Remove" pane and by clicking the >> button. Click Finish. Reboot to complete the process.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - URLSearchHook: (no name) - {781E9D6F-78DD-5F21-DC7D-7A129544E6CF} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\System32\dyfrism\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\dyfrism\winlogon.exe
O4 - HKLM\..\Run: [ht5nkgki] C:\WINDOWS\System32\ht5nkgki.exe

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
c:\documents and settings\default\start menu\programs\startup\winlogon.lnk (may not have that .lnk but delete if you find just winlogon)
C:\WINDOWS\System32\ht5nkgki.exe

Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\System32\dyfrism

Run ATF Cleaner

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Restart to the normal mode.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

================

When you're ready, please post the following logs to here:
- F-Secures report
- a fresh HijackThis log

 

[Mysticbear]

Scanning Report
Tuesday, January 16, 2007 21:05:11 - 21:39:27
Computer name: TEMP-JY4Q3NS0LW
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 3 malware found
Malware.TopAntiSpyware (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
Windows (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 23094
System: 3784
Not scanned: 16
Actions:
Disinfected: 3
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{BB82C9DC-7F25-4E83-96FC-FE18942FA4D2}.BIN
C:\WINDOWS\$NTUNINSTALLQ828026$\MSDXM.OCX
C:\WINDOWS\$NTUNINSTALLKB839645$\FLDRCLNR.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\ACCWIZ.EXE
C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSYS.DLL
C:\DOCUMENTS AND SETTINGS\MOM AND DAD\DESKTOP\LOGFILE OF HIJACK.THIS.DOC
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\DSS\MACHINEKEYS\FD385DD2BAA7D926802E1DA7535DA7CA_6F28A56A-3A20-4342-9268-ED23C42D5001

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-01-16
F-Secure AVP: 7.0.171, 2007-01-17
F-Secure Orion: 1.2.37, 2007-01-17
F-Secure Blacklight: 1.0.53, 0000-00-00
F-Secure Draco: 1.0.35, 0260-02-44
F-Secure Pegasus: 1.19.0, 2006-11-19
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics



Hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 9:41:04 PM, on 1/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\MOMAND~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\MOMAND~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\WUTemp\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: 01Apache - Unknown owner - C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe" --ntservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

[Mysticbear]

One other thing.....

I am unable to use the volume on my speakers....It just won't play anything and when you go into the control panel it won't let you click on anything to fix it.
Also Outerino is in my all programs but the whole time I was in safe mode I couldn't figure out where it might be.
THanks

 

[Mr_JAk3]

Hi

Please go to My computer and locate & delete the following file:
c:\documents and settings\default\start menu\programs\startup\winlogon.lnk (may not have that .lnk but delete if you find just winlogon)

When did you lose your sound ? Have you tried updating your audio drivers ?

Then you should be able to install AVG Anti-Spyware now...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
    
• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log