Smitfraud-C Toolbar help please!

[Shawge]

SECOND HALF ON NEXT POST

ComboScan v20070306.20 run by Owner on 2007-03-07 at 15:55:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created ComboScan Restore Point.


-- Last 5 Restore Point(s) --
57: 2007-03-07 21:55:33 UTC - RP333 - ComboScan Restore Point
56: 2007-03-05 22:57:13 UTC - RP332 - Removed Visual Studio.NET Baseline - English
55: 2007-03-04 17:50:08 UTC - RP331 - Removed J2SE Runtime Environment 5.0 Update 7
54: 2007-03-04 02:12:12 UTC - RP330 - System Checkpoint
53: 2007-03-03 00:06:27 UTC - RP329 - Removed Star Wars Jedi Knight Jedi Academy


-- First Restore Point --
1: 2007-01-09 15:00:43 UTC - RP277 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:56:36 PM, on 07/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Xfire\Xfire.exe
C:\Documents and Settings\Owner\My Documents\My Received Files\comboscan.exe
C:\DOCUME~1\Owner\MYDOCU~1\MYRECE~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://starwarsbattlefront.filefront.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://supacerazaycool.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{E52AD2CB-4B52-4FA2-8180-991AC923FB59}: NameServer = 192.168.100.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3S 0efee1b0-8a58-4909-a2af-c554a7671b21 - E:\Player\cds300.dll (not found)
0R agpCPQ (Compaq AGP Bus Filter) - C:\WINDOWS\system32\drivers\AGPCPQ.SYS
3R ALCXWDM (Service for Realtek AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\ALCXWDM.SYS
0R alim1541 (ALI AGP Bus Filter) - C:\WINDOWS\system32\drivers\ALIM1541.SYS
0R amdagp (AMD AGP Bus Filter Driver) - C:\WINDOWS\system32\drivers\AMDAGP.SYS
3R Arp1394 (1394 ARP Client Protocol) - C:\WINDOWS\system32\drivers\arp1394.sys
3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys
0R cbidf - C:\WINDOWS\system32\drivers\cbidf2k.sys
0R dac2w2k - C:\WINDOWS\system32\drivers\dac2w2k.sys
1S DcCam (Kodak Camera Proxy) - C:\WINDOWS\system32\DRIVERS\DcCam.sys (not found)
3S DcFpoint - C:\WINDOWS\system32\DRIVERS\DcFpoint.sys (not found)
2S DCFS2K (Kodak DCFS2K Driver) - C:\WINDOWS\system32\drivers\dcfs2k.sys (not found)
3S DcLps (Legacy Polling Service) - C:\WINDOWS\system32\DRIVERS\DcLps.sys (not found)
3S DcPTP - C:\WINDOWS\system32\DRIVERS\DcPTP.sys (not found)
3S dtscsi - C:\WINDOWS\system32\drivers\dtscsi.sys
3R ENETHUSB (Speedstream Ethernet USB Adapter) - C:\WINDOWS\system32\drivers\enethusb.sys
1S Exportit - C:\WINDOWS\system32\DRIVERS\exportit.sys (not found)
3R GEARAspiWDM (GEAR CDRom Filter) - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
3R HSFHWBS2 - C:\WINDOWS\system32\drivers\HSFHWBS2.sys
3R HSF_DP - C:\WINDOWS\system32\drivers\HSF_DP.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3S mxnic (Macronix MX987xx Family Fast Ethernet NT Driver) - C:\WINDOWS\system32\drivers\mxnic.sys
3S naecd - C:\DOCUME~1\Owner\LOCALS~1\Temp\naecd.sys (not found)
3R NIC1394 (1394 Net Driver) - C:\WINDOWS\system32\drivers\nic1394.sys
3S nv - C:\WINDOWS\system32\drivers\nv4_mini.sys
0R ohci1394 (VIA OHCI Compliant IEEE 1394 Host Controller) - C:\WINDOWS\system32\drivers\ohci1394.sys
1S P3 (Intel PentiumIII Processor Driver) - C:\WINDOWS\system32\drivers\p3.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
3R RTL8023xp (Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver) - C:\WINDOWS\system32\drivers\Rtlnicxp.sys
1R sdcplh - C:\WINDOWS\system32\drivers\sdcplh.sys
0R sisagp (SIS AGP Bus Filter) - C:\WINDOWS\system32\drivers\SISAGP.SYS
0R sptd - C:\WINDOWS\system32\drivers\sptd.sys
0R srescan - C:\WINDOWS\system32\ZoneLabs\srescan.sys
3S SunkFilt (Alcor Micro Corp Reader) - C:\WINDOWS\system32\drivers\Sunkfilt.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3R usbohci (Microsoft USB Open Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbohci.sys
3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
3R USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
1R VET-FILT (VET File System Filter) - C:\WINDOWS\system32\drivers\vet-filt.sys
1R VET-REC (VET File System Recognizer) - C:\WINDOWS\system32\drivers\vet-rec.sys
1R VETFDDNT (VET Floppy Boot Sector Monitor) - C:\WINDOWS\system32\drivers\vetfddnt.sys
1R VETMONNT (VET File and Macro Monitor) - C:\WINDOWS\system32\drivers\vetmonnt.sys
0R viaagp (VIA AGP Bus Filter) - C:\WINDOWS\system32\drivers\VIAAGP.SYS
1R vsdatant - C:\WINDOWS\system32\vsdatant.sys
3S wanatw (WAN Miniport (ATW)) - C:\WINDOWS\system32\DRIVERS\wanatw4.sys (not found)
3R winachsf - C:\WINDOWS\system32\drivers\HSF_CNXT.sys
3S WpdUsb - C:\WINDOWS\system32\drivers\wpdusb.sys
0R WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINDOWS\system32\drivers\WudfPf.sys
3S XTrapD12 - C:\WINDOWS\system32\XTrapD12.sys (not found)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2R Ati HotKey Poller - C:\WINDOWS\system32\Ati2evxx.exe
2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
3R CAISafe (CA ISafe) - C:\WINDOWS\system32\ZoneLabs\isafe.exe
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3R iPod Service - "C:\Program Files\iPod\bin\iPodService.exe"
3S KodakCCS (Kodak Camera Connection Software) - C:\WINDOWS\system32\drivers\KodakCCS.exe
2R PrismXL - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
3R usnjsvc (Messenger Sharing Folders USN Journal Reader service) - "C:\Program Files\MSN Messenger\usnsvc.exe"
2R vsmon (TrueVector Internet Monitor) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service


-- Scheduled Tasks -------------------------------------------------------------

2007-03-01 10:44:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2005-12-28 22:39:04 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 3.job<ISPSIG~3.JOB>
2005-12-28 22:39:04 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 2.job<ISPSIG~2.JOB>
2005-12-28 22:39:03 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job<ISPSIG~1.JOB>

 

[Shawge]

-- Files created between 2007-02-07 and 2007-03-07 -----------------------------

2007-03-06 16:52:32 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-06 16:52:25 0 d-------- C:\Program Files\Grisoft
2007-03-04 00:22:31 0 d-------- C:\Program Files\CCleaner
2007-03-04 00:18:37 0 d-------- C:\WINDOWS\pss
2007-03-03 23:05:57 25382 --a------ C:\WINDOWS\system32\awtsp.exe
2007-03-03 13:14:35 0 d-------- C:\Documents and Settings\Joy\Application Data\Apple Computer<APPLEC~1>
2007-03-02 21:14:24 3340 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-02 21:13:55 79360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-02 21:13:55 40960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-02 21:13:55 135168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-02 21:13:55 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-02 21:13:55 53248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-02 21:13:55 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-02-24 18:37:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-23 22:44:38 0 d-------- C:\Documents and Settings\Owner\Shared
2007-02-23 22:42:51 0 d-------- C:\Program Files\LimeWire
2007-02-23 22:42:06 0 d-------- C:\Documents and Settings\Owner\.limewire<LIMEWI~1>
2007-02-19 19:14:04 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-02-19 15:53:24 0 d-------- C:\WINDOWS\SxsCaPendDel<SXSCAP~1>
2007-02-17 18:39:04 105130 --a------ C:\WINDOWS\efcdba.dll
2007-02-15 18:27:46 0 d-------- C:\WINDOWS\vbSkinner<VBSKIN~1>
2007-02-15 17:17:10 251672 --a------ C:\WINDOWS\system32\xactengine2_5.dll<XACTEN~1.DLL>
2007-02-15 16:37:32 0 d-------- C:\Program Files\WarRock
2007-02-15 16:36:19 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield<INSTAL~1>
2007-02-13 17:05:19 0 d-------- C:\WINDOWS\ie7updates<IE7UPD~1>
2007-02-13 17:01:26 8912896 --a------ C:\Documents and Settings\Owner\ntuser.dat
2007-02-07 21:09:42 105130 --a------ C:\WINDOWS\fcbcaa.dll


-- Find3M Report ---------------------------------------------------------------

2007-03-07 15:55:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-03-07 15:35:43 0 d---s---- C:\Program Files\Xfire
2007-03-07 15:30:14 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-06 15:52:15 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll<CMDLIN~1.DLL>
2007-03-06 15:50:43 0 d-------- C:\Program Files\AlphaZIP
2007-03-06 15:49:44 58904 --a------ C:\WINDOWS\system32\azipcontmn.dll<AZIPCO~1.DLL>
2007-03-06 08:03:20 0 d-------- C:\Program Files\Diablo II<DIABLO~1>
2007-03-05 15:39:39 0 d-------- C:\Program Files\Steam
2007-03-02 18:19:03 0 d-------- C:\Program Files\Microsoft Games<MI9A48~1>
2007-03-02 18:08:50 0 d-------- C:\Program Files\LucasArts<LUCASA~1>
2007-03-02 18:07:03 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-23 23:14:32 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2007-02-02 22:28:41 105130 --a------ C:\WINDOWS\wvwttt.dll
2007-02-02 01:00:10 105130 --a------ C:\WINDOWS\ljklkh.dll
2007-02-01 13:03:10 105130 --a------ C:\WINDOWS\awtuvs.dll
2007-01-31 14:58:25 0 d-------- C:\Program Files\KnightOnline<KNIGHT~1>
2007-01-29 02:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-25 13:19:11 105130 --a------ C:\WINDOWS\opmkhh.dll
2007-01-21 23:50:43 105130 --a------ C:\WINDOWS\tutqrp.dll
2007-01-19 15:50:31 105130 --a------ C:\WINDOWS\awuusp.dll
2007-01-19 12:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-19 11:38:35 105130 --a------ C:\WINDOWS\opomkl.dll
2007-01-18 00:47:00 105130 --a------ C:\WINDOWS\efcyxu.dll
2007-01-16 15:45:07 105130 --a------ C:\WINDOWS\vttrrr.dll
2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
2007-01-12 09:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
2007-01-09 15:45:32 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-01-09 14:24:00 0 d-------- C:\Program Files\IrfanView<IRFANV~1>
2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-08 19:02:02 383488 -----n--- C:\WINDOWS\system32\ieapfltr.dll
2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-12-29 17:02:17 105099 --a------ C:\WINDOWS\tuvstr.dll
2006-12-29 13:57:13 105099 --a------ C:\WINDOWS\qonljh.dll
2006-12-19 15:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 12:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll
2006-12-15 12:00:38 1021504 --a------ C:\WINDOWS\system32\vete.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"SoundMan"="SOUNDMAN.EXE"
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\
69,6e,64,5f,58,50,2e,65,78,65,00
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9324a549-4011-11da-8b57-806d6172696f}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c0f4a03f-0a9e-11da-a4ee-806d6172696f}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{df6c14ad-4586-11da-b856-806d6172696f}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


-- End of ComboScan: finished at 2007-03-07 at 15:58:13 ------------------------

 

[Mr_JAk3]

Hi again

Ok some leftovers....

Open Notepad and copy the following lines into a new document:

@echo off
sc stop naecd
sc delete naecd

Save the document to your desktop as Remove.bat and filetype: All Files
Go to your desktop and run the file Remove.bat and allow to run it if prompted. A window will open and close.

Run ATF Cleaner

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop.

Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.

Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)

C:\WINDOWS\system32\awtsp.exe
C:\WINDOWS\efcdba.dll
C:\WINDOWS\fcbcaa.dll
C:\WINDOWS\system32\azipcontmn.dll
C:\WINDOWS\wvwttt.dll
C:\WINDOWS\ljklkh.dll
C:\WINDOWS\awtuvs.dll
C:\WINDOWS\opmkhh.dll
C:\WINDOWS\tutqrp.dll
C:\WINDOWS\awuusp.dll
C:\WINDOWS\opomkl.dll
C:\WINDOWS\efcyxu.dll
C:\WINDOWS\vttrrr.dll
C:\WINDOWS\tuvstr.dll
C:\WINDOWS\qonljh.dll

Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.

(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)

Post a one more HijackThis log to here just in case. :bigthumb:

 

[Shawge]

Is this the end?

Logfile of HijackThis v1.99.1
Scan saved at 11:55:49 PM, on 08/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\My Received Files\Hijackthis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://starwarsbattlefront.filefront.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://supacerazaycool.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{E52AD2CB-4B52-4FA2-8180-991AC923FB59}: NameServer = 192.168.100.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[Mr_JAk3]

Hi again, it is looking clean now
The computer is running fine?

Your ZoneAlarm includes an antivirus too, right?

Now you can clean AVG's Quarantine:

• Open AVG Anti-Spyware
• Click Infections
• Click Quarantine tab
• Click Select all
• Click Remove finally
• Close the program

You can remove the tools we used.

Then you should update your Java to the latest version (6.0)

• [*]Start
  [*]Control Panel
  [*]Add/Remove Programs
• Delete the old Java, J2SE Runtime Environment 5.0 Update 7
• Download the latest version of Java Runtime Environment (JRE) 6.0.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement."
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Install it

Now you can make your hidden files hidden again.

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Check "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

• Clear your system restore
  This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  
• Use ATF Cleaner
  Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  
• Use Ad-Aware
  Download and install Ad-Aware. Update it and scan your computer regularly with it.
  
• Use AVG Anti-Spyware
  Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
  
• Use Spybot S&D
  Download and install Spybot S&D. Update it and scan your computer regularly with it.
  
• Install SpywareBlaster
  SpywareBlaster will prevent spyware from being installed.
  
• Install MVPS Hosts file
  This prevents your computer from connecting to harmful sites.
  
• Use Firefox browser
  Firefox is faster and more secure browser than Internet Explorer.
  
• Keep your systen up-to-date
  Visit Windows Update regularly. How to enable Automatic Updates?
  
• Keep your antivirus and firewall up-to-date
  Scan your computer regularly with you antivirus software.
  
• Read this article by TonyKlein
  So how did I get infected in the first place?
  
• Stand Up and Be Counted !
  The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

 

[Shawge]

Thank you alot!!:laugh: My computer is running way better now:bigthumb:

 

[Mr_JAk3]

That's great news and you're very welcome :

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: