• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
heavydutytwo

I can't rid my computer of browser hijacker

Recommended Posts

HI

 

My Personal Computer is constantly re-infecting itself with a browser hijacker that I can't get rid of with AdAware SE, AVG or SPYBOT.

 

TROJAN.MEZZER

TROJAN HORSE PSW.Generic

TROJAN HORSE Generic

TROJAN HORSE downloader Generic

 

have all been removed by AVG from my system32 file and other places, and I have got rid of several other spyware, and adware programs too. However my system must still be reinfecting itself, as my browser keeps trying to open pages without my wanting it to.

Here is my AVG report

 

+ Scan result:

 

C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\FICVYDRL\spsetup[1].exe -> Adware.SaveNow : Cleaned with backup (quarantined).

HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned with backup (quarantined).

HKLM\SOFTWARE\WhenUSave -> Adware.SaveNow : Cleaned with backup (quarantined).

HKLM\SOFTWARE\WhenUSave\Partners -> Adware.SaveNow : Cleaned with backup (quarantined).

HKLM\SOFTWARE\WhenUSave\Partners\WUSV -> Adware.SaveNow : Cleaned with backup (quarantined).

C:\Documents and Settings\Alex Southward\Local Settings\Temp\winB7.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).

C:\Documents and Settings\Alex Southward\Local Settings\Temporary Internet Files\Content.IE5\0HUB4X6V\mulbin32[1].exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).

C:\Program Files\Common Files\Yazzle1162OinAdmin.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).

C:\Documents and Settings\Alex Southward\Local Settings\Temp\mshtml2.exe -> Downloader.PurityScan.ds : Cleaned with backup (quarantined).

C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\j0pdbmjp.default\Cache\069CD5C0d01 -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned.

C:\Documents and Settings\Admin\Local Settings\Temp\v5haxjfw.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned.

C:\Documents and Settings\Alex Southward\Local Settings\Temporary Internet Files\Content.IE5\SNPRIIF1\antzom[1].exe -> Trojan.Agent.vg : Cleaned with backup (quarantined).

 

::Report end

 

Also here is my HijackThis log

 

Logfile of HijackThis v1.99.1

Scan saved at 18:29:34, on 15/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\NETGEAR\WG111v2\WG111v2.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\Alex Southward\Local Settings\Temp\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [DeskSlide] C:\Program Files\DeskSlide\DeskSlide.exe -logon -hide

O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: AbsoluteShield Track Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\SysShield Tools\Track Eraser\cseraser.exe (HKCU)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE

 

HELP ME GET RID OF THIS ANNOYING VIRUS THINGEY!?!?!? ARRGH....

 

Help much appreciated

 

Alex

Share this post


Link to post
Share on other sites

Hello,Alex & Welcome

 

 

Uninstall the following programs if present

- Go to Start > Control Panel > Add/Remove Programs

- Select the following, one at a time, and click Remove for each one

Oin

Yazzle by Oin

Purityscan by Oin

Snowballwars by Oin

Cowabanga by OIN

or anything similar with Oin in it

 

If OIN not listed, download and run this uninstaller

http://www.outerinfo.com/OiUninstaller.exe

 

Reboot when done! Really important!

 

 

Then

 

 

Download this file - combofix.exe and save it to your desktop.

Double click combofix.exe & follow the prompts.

When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

 

Note:

Do not mouseclick combofix's window whilst it's running as it may cause it to stall

 

 

Gogo :)

Share this post


Link to post
Share on other sites

Hi ,

 

thankx for the help but ...

 

I DID have purity scan , but I think I got shot of that a while ago... dont know how I got it in the first place... WHen I checked for OIN type programs I didn't have any... I ran the Uninstaller, but it didn't seem to do anything (my antivirus flagged it, so I told the program to ignore it and add to exceptions - was this correct?)

 

When I ran it ... nothing happened...

 

So I ran Combofix... A DOS style window flashed up, for 1 second, "access denied" flashed up twice and the program died.

 

I have no report to print because it didn't get a chance to generate one.

 

Any more help please?

 

Alex

Share this post


Link to post
Share on other sites

Hi again

 

Also I have suspicious files on my "program files/Common files" directory, they basically are a empty but one has an uninstaller inside, both have huge numbers (like key's 16 or so numbers long) in their file name.

 

I don't want to get rid, unless I know what they are.

 

Thanks again for any help

 

Alex

Share this post


Link to post
Share on other sites

Hey,heavydutytwo

 

Ok i don't get when you say.

 

(my antivirus flagged it, so I told the program to ignore it and add to exceptions - was this correct?)

 

umm flagged what.??

 

also are you running as the Admins of this PC please try running

both tools again tell me what if anything happens.

 

Gogo :mellow:

Share this post


Link to post
Share on other sites

Hi

 

I have got the OIuninstaller to work... It said some files might be deleted on next start up. I immediatly restarted PC. Upon boot up (ADMIN) I attempted to run COMBOFIX.

 

Combofix attempts to open and install some files. it opens a DOS style box, which says ACCESS DENIED, ACCESS DENIED and closes down deleting the 5 or 6 files it just tried to install. I have given this program (COMBOFIX) access to net via my firewall, so I don't understand why it says this ACCESS DENIED.

 

Also my anti spyware program has found (AGAIN)

Adware.SaveNow - threat MEDIUM -

 

Thanks for the help guys, We're getting there

 

Alex

 

p.s. - my antivirus WAS flagging OIUninstaller as a possible virus, I have sorted that now by telling my spftware to ignore it. (see HJThis' reply)

Share this post


Link to post
Share on other sites

Also Spybot just found

SmitFraud-C Toolbar.888

I will now spend the next five minutes thinking bad thoughts about people who write virri, trojans, worms, spyware, malware, adware, and all the other stuff that makes life a little bit worse... may they all catch STD's and find out a week too late to do anything about them...

 

Alex

Share this post


Link to post
Share on other sites

Arggg

 

my latest check using another program, has just found

 

Reliablestats

Cassava - 2 entries

SystemDoctor2006 - 2 entries

TagASaurus - what the f*** is this and what is it doing to my computer???

 

Help

 

Alex

Share this post


Link to post
Share on other sites

Hey,Alex

 

Ok for now just run the tools that i ask please now run HijackThis and

show me a Logfile. and try this here for me.

 

 

Download Rootkit Revealer, and extract it. Double click on Rootkit Revealer and press "Scan". After the scan press "File"->"Save..." and copy/paste the contents in a new post.

 

While Rootkit Revealer is running, please do not do anything else as this will give distracting information in the log it produces.

 

 

Also do this here

 

 

Please RIGHT-CLICK HERE to download Silent Runner's.

  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
      Do you want to skip supplementary searches?
      click NO

    [*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)

    [*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

 

 

And let's have a look at these

 

 

Open HijackThis, click Config, click Misc Tools

Click "Open Uninstall Manager"

Click "Save List" (generates uninstall_list.txt)

Click Save, copy and paste the results in your next post.

 

 

Gogo :mellow:

Share this post


Link to post
Share on other sites

Hi

 

Got COMBOFIX working by running in SAFE MODE with NETWORK switched off (for future ref)

here is the report,

 

 

Admin - 06-12-16 16:40:41.39 Service Pack 2

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Admin\Desktop\New Folder"

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\components

C:\Program Files\Common Files\{08515C97-08A3-2057-1020-05020706002c}

C:\Program Files\Common Files\{38515C97-08A3-2057-1020-05020706002c}

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-11-16 to 2006-12-16 ))))))))))))))))))))))))))))))))))

 

 

2006-12-16 15:22 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\AVG7

2006-12-16 09:57 44,052 --a------ C:\WINDOWS\system32\rmwqrlnm.dll

2006-12-15 08:17 118,804 --a------ C:\WINDOWS\system32\ahacldtw.dll

2006-12-12 12:34 <DIR> d--h-c--- C:\WINDOWS\ie7

2006-12-12 12:34 <DIR> d-------- C:\WINDOWS\WBEM

2006-12-12 12:34 <DIR> d-------- C:\WINDOWS\system32\en-US

2006-12-12 12:33 121,856 --------- C:\WINDOWS\system32\xmllite.dll

2006-12-12 12:32 <DIR> d-------- C:\WINDOWS\network diagnostic

2006-12-05 14:38 <DIR> d-------- C:\WINDOWS\Sun

2006-12-03 12:19 <DIR> dr-h----- C:\$VAULT$.AVG

2006-12-03 12:18 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys

2006-12-03 12:18 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys

2006-12-03 12:18 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys

2006-12-03 12:18 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys

2006-12-03 12:18 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys

2006-12-03 12:18 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys

2006-12-03 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2006-12-03 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7

2006-12-02 23:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2006-12-02 23:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2006-11-29 21:23 821,636 ---hs---- C:\WINDOWS\system32\hjkkj.bak2

2006-11-28 03:48 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2006-11-28 03:48 <DIR> d-------- C:\Program Files\Grisoft

2006-11-28 03:04 88,340 --a------ C:\WINDOWS\system32\cmjbaswv.exe

2006-11-28 03:04 589,761 ---hs---- C:\WINDOWS\system32\hjkkj.bak1

2006-11-27 09:28 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2006-11-25 19:14 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll

2006-11-25 19:14 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll

2006-11-25 19:14 6,144 --a------ C:\WINDOWS\system32\kbd106.dll

2006-11-25 19:14 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll

2006-11-25 19:14 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll

2006-11-25 19:14 5,632 --a------ C:\WINDOWS\system32\kbd103.dll

2006-11-25 19:00 <DIR> d-------- C:\Program Files\Java

2006-11-25 18:58 <DIR> d-------- C:\Program Files\LimeWire

2006-11-25 18:58 <DIR> d-------- C:\Program Files\Common Files\Java

2006-11-22 00:17 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

2006-11-22 00:17 <DIR> d-------- C:\WINDOWS\system32\AGEIA

2006-11-22 00:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2006-11-22 00:17 <DIR> d-------- C:\Program Files\AGEIA Technologies

2006-11-21 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead

2006-11-21 22:36 <DIR> d-------- C:\Program Files\Nero

2006-11-21 22:36 <DIR> d-------- C:\Program Files\Common Files\Ahead

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-12-16 16:41 -------- d-------- C:\Program Files\Common Files

2006-12-16 16:06 -------- d-------- C:\Program Files\Mozilla Firefox

2006-12-16 16:01 -------- d-------- C:\Documents and Settings\Admin\Application Data\OpenOffice.org2

2006-12-16 10:52 -------- d-------- C:\Program Files\NETGEAR

2006-12-12 22:07 -------- d-------- C:\Program Files\Common Files\System

2006-12-12 12:55 -------- d-------- C:\Program Files\Internet Explorer

2006-12-07 06:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll

2006-11-28 04:11 -------- d-------- C:\Program Files\Paint.NET

2006-11-27 09:28 -------- d-------- C:\Program Files\Windows Media Player

2006-11-21 21:44 1890 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2006-11-16 22:50 -------- d-------- C:\Program Files\TmSunrise

2006-11-16 15:20 -------- d--h----- C:\Program Files\InstallShield Installation Information

2006-11-15 15:53 -------- d-------- C:\Program Files\BitTornado

2006-11-15 02:14 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys

2006-11-14 22:54 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2006-11-14 21:15 -------- d-------- C:\Program Files\EA GAMES

2006-11-14 20:55 -------- d-------- C:\Program Files\Sierra

2006-11-09 17:16 -------- d-------- C:\Program Files\Corel

2006-11-09 17:15 -------- d-------- C:\Program Files\Common Files\Corel

2006-11-08 16:02 -------- d-------- C:\Program Files\Adobe

2006-11-08 15:58 -------- d-------- C:\Program Files\Common Files\Adobe

2006-11-08 15:31 -------- d-------- C:\Documents and Settings\Admin\Application Data\Adobe

2006-11-08 15:27 -------- d-------- C:\Program Files\WinAce

2006-11-08 15:22 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared

2006-11-08 15:09 -------- d-------- C:\Program Files\Fraps

2006-11-08 14:15 -------- d---s---- C:\Documents and Settings\Admin\Application Data\Microsoft

2006-11-08 14:15 -------- d-------- C:\Program Files\Lavasoft

2006-11-08 14:15 -------- d-------- C:\Documents and Settings\Admin\Application Data\Lavasoft

2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll

2006-11-07 23:09 -------- d-------- C:\Program Files\Pinnacle

2006-11-07 23:08 -------- d-------- C:\Program Files\SmartSound Software

2006-11-07 23:07 95 --a------ C:\AUTOEXEC.BAT

2006-11-07 23:07 -------- d-------- C:\Program Files\DivX

2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll

2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll

2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll

2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll

2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll

2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll

2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll

2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll

2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll

2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll

2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll

2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe

2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll

2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll

2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe

2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll

2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll

2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll

2006-11-02 18:43 -------- d-------- C:\Program Files\AusLogics Disk Defrag

2006-10-29 10:05 -------- d-------- C:\Program Files\PSP5

2006-10-26 16:12 -------- d-------- C:\Documents and Settings\Admin\Application Data\AdobeUM

2006-10-26 16:00 -------- d-------- C:\Documents and Settings\Admin\Application Data\Mozilla

2006-10-26 15:57 -------- d-------- C:\Documents and Settings\Admin\Application Data\Macromedia

2006-10-19 13:56 713216 --a------ C:\WINDOWS\system32\sxs.dll

2006-10-18 18:38 21035 --a------ C:\WINDOWS\system32\drivers\AegisP.sys

2006-10-18 11:01 -------- d-------- C:\Program Files\Microsoft Games

2006-10-17 17:58 -------- d-------- C:\Program Files\DVD Shrink

2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll

2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll

2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe

2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll

2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll

2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll

2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll

2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe

2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll

2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll

2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe

2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll

2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll

2006-10-16 15:35 -------- d-------- C:\Program Files\Ubisoft

2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll

2006-09-28 14:55 53248 --a------ C:\WINDOWS\system32\PhysXLoader.dll

2006-09-26 14:01 45056 -ra------ C:\WINDOWS\system32\AgCPanelJapanese.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe"

"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Snapfire\\Corel Photo Downloader.exe"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000001

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

"Flags"=dword:00000002

"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\

00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\

ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\

00,00,01,00,00,00

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

"DisableTaskMgr"=dword:00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoActiveDesktopChanges"=dword:00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjh

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexz32

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

Completion time: 06-12-16 16:41:22.37

C:\ComboFix.txt ... 06-12-16 16:41

 

cheers

 

ALex

Share this post


Link to post
Share on other sites

HI F.Y.I.

 

SILENT RUNNERS LOG

 

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

"PinnacleDriverCheck" = "C:\WINDOWS\system32\\PSDrvCheck.exe" [empty string]

"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]

"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"Corel Photo Downloader" = "C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" ["Corel, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Companion BHO"

\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll" [file not found]

{099D0986-C204-F967-3343-00A64FA96FB9}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\vorenbj.dll" [file not found]

{3C5205B8-7A57-4022-866D-A57805F301A8}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\jkkjh.dll" [file not found]

{3FD6B99C-A275-46ea-8FD1-3D63986E51E4}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\rmwqrlnm.dll" [null data]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {HKLM...CLSID} = "Display Panning CPL Extension"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"

-> {HKLM...CLSID} = "Studio.Project"

\InProcServer32\(Default) = "C:\Program Files\Pinnacle\Studio 10\programs\BlueShellExt.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {HKLM...CLSID} = "AVG7 Find Extension Class"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

<<!>> "GinaDLL" = "RtlGina2.dll" [null data]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> jkkjh\DLLName = "C:\WINDOWS\system32\jkkjh.dll" [file not found]

<<!>> winexz32\DLLName = "winexz32.dll" [file not found]

 

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

 

Group Policies {policy setting}:

--------------------------------

 

Note: detected settings may not have any effect.

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{Prevent access to registry editing tools}

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

 

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

 

 

Startup items in "Admin" & "All Users" startup folders:

-------------------------------------------------------

 

C:\Documents and Settings\Admin\Start Menu\Programs\Startup

"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"OpenOffice.org 2.0" -> shortcut to: "C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe" [null data]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" ["InterVideo Inc."]

"NETGEAR WG111v2 Smart Wizard" -> shortcut to: "C:\Program Files\NETGEAR\WG111v2\WG111v2.exe" [empty string]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Canon BJ Language Monitor i350\Driver = "CNMLM53.DLL" ["CANON INC."]

Canon IOS Language Monitor\Driver = "cnwilmnt.dll" ["CANON INC."]

 

 

----------

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 60 seconds.

---------- (total run time: 88 seconds)

 

cheers

 

Alex

Share this post


Link to post
Share on other sites

Hi

 

FYI Hijack this Uninstall list

 

3DMark05

AbsoluteShield File Shredder

AbsoluteShield Track Eraser

Ad-Aware SE Personal

Adobe Bridge 1.0

Adobe Common File Installer

Adobe Flash Player 9 ActiveX

Adobe Help Center 1.0

Adobe Photoshop CS2

Adobe Reader 6.0.1

Adobe Stock Photos 1.0

Age of Empires III

AGEIA PhysX v2.6.0

AusLogics Disk Defrag

AVG Anti-Spyware 7.5

AVG Free Edition

BitTornado 0.3.17

Canon i350

CCleaner (remove only)

Command & Conquer Generals

Corel Paint Shop Pro Photo XI

Corel Snapfire

Delta Force - Black Hawk Down

DeskSlide 2.0.3

DiscAPI (Studio 10)

DivX

DVD Decrypter (Remove Only)

DVD Shrink 3.2

EndItAll 2.0

Far Cry Demo

FEAR

ffdshow

Half-Life® 2

HD Tune 2.52

HijackThis 1.99.1

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB915865)

IE Privacy Keeper

InterVideo WinDVD

J2SE Runtime Environment 5.0 Update 8

J2SE Runtime Environment 5.0 Update 9

LimeWire 4.12.6

MadOnion.com/3DMark2001 SE

Microsoft .NET Framework 2.0

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Visual C++ 2005 Redistributable

MMConvert 1.0.5.236 Beta

Monopoly

Mozilla Firefox (1.5.0.8)

Nero 7 Premium

NETGEAR WG111v2 wireless USB 2.0 adapter

NVIDIA Drivers

OpenOffice.org 2.0

Paint.NET v2.72

PowerDVD

QuickTime

Realtek AC'97 Audio

Security Update for Microsoft .NET Framework 2.0 (KB917283)

Security Update for Microsoft .NET Framework 2.0 (KB922770)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913433)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB918899)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922760)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB925486)

Security Update for Windows XP (KB926255)

SmartSound Quicktracks Plugin

SpeechRedist

Spybot - Search & Destroy 1.4

Steam

Studio 10

The Sims 2

Tom Clancy's Splinter Cell Chaos Theory

TrackMania Sunrise

Unreal Tournament 2004

Update for Windows XP (KB894391)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB904942)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB911280)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Media Encoder 9 Series

Windows Media Encoder 9 Series

Windows Media Format Runtime

Windows Media Player 10

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

WinZip

ZoneAlarm

 

cheers

 

Alex

Share this post


Link to post
Share on other sites

HI

 

FYI Rootkiller log

(THis seemed to fail part way through due to a failure of CMD.EXE )

 

 

HKLM\SECURITY\Policy\Secrets\SAC* 27/02/2006 12:09 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 27/02/2006 12:09 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\.ids\ 07/11/2006 23:50 9 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Classes\blue.Shortcut\ 07/11/2006 23:50 15 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Classes\blue.Shortcut\shell\open\command\ 07/11/2006 23:50 15 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 07/11/2006 23:01 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Sonic Desktop Software\Common\LibraryFilesFolder 09/11/2006 19:40 87 bytes Data mismatch between Windows API and raw hive data.

 

plenty of logs for you to be examining, thanks for the help and time spent on this people.

 

Very much appreciated

 

Alex

Share this post


Link to post
Share on other sites

Hi,heavydutytwo

 

Run this for me next please.

 

 

Please download VundoFix.exe to your C:\.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.

 

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

 

 

Gogo ;)

Share this post


Link to post
Share on other sites

Hello

 

Ran the Vundo thing,

 

It wiped a few files etc... If it hasn't worked I'll be back on - line...

 

Thanks so much for the help. Brilliant! Very merry xmas and a happy new year. All the best!

 

Alex

Share this post


Link to post
Share on other sites

Hello

 

Ran the Vundo thing,

 

It wiped a few files etc. I have ran it 4 or 5 times now and but it keeps finding Windows/System32/jkkjh.dll

and removing it repeatedly. I have not been using the net during this process and have had the phone line disconnected (just in case)

 

Should I be worried about this file? Its obviously coming back everytime because something is putting it back after each reboot.

 

I'm not even sure if I am having Browser hijackings anymore as I have not used the internet (a part from this forum) for 3-4 days now.

 

Thanks so much for the help.

 

Alex

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 17:50:44, on 17/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\NETGEAR\WG111v2\WG111v2.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\Documents and Settings\Admin\Desktop\VundoFix.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\Admin\Local Settings\Temp\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll (file missing)

O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)

O2 - BHO: (no name) - {3C5205B8-7A57-4022-866D-A57805F301A8} - C:\WINDOWS\system32\jkkjh.dll (file missing)

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\rmwqrlnm.dll

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing)

O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: CLO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\CLO.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: MGOYGJBQW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\MGOYGJBQW.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Hey,heavydutytwo

 

Please update AVG anti-spyware and run a full system scan in Safe Mode

 

View hidden files and folders:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

 

Run HijackThis

Scan and when it finishes, put a check mark only next to these following items : (if present)

 

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll (file missing)

O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)

O2 - BHO: (no name) - {3C5205B8-7A57-4022-866D-A57805F301A8} - C:\WINDOWS\system32\jkkjh.dll (file missing)

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\rmwqrlnm.dll

 

O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing)

 

O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)

 

O23 - Service: CLO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\CLO.exe

O23 - Service: MGOYGJBQW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\MGOYGJBQW.exe

 

Close all browsers and any open Windows, making sure that only HijackThis is open

Click Fix Checked

Close HijackThis

 

 

Restart your computer in Safe Mode.

  1. If the computer is running, shut down Windows, and then turn off the power.
  2. Wait 30 seconds, and then turn the computer on.
  3. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  4. Ensure that the Safe Mode option is selected.
  5. Press Enter. The computer then begins to start in Safe Mode.
  6. Login on your usual account.

If you need further assistance with Safe Mode, see Symantec

 

 

Next do a file Search for these files here if found delete them.

 

C:\WINDOWS\system32\vorenbj.dll<---This file

C:\WINDOWS\system32\jkkjh.dll<---This file

C:\WINDOWS\system32\rmwqrlnm.dll<---This file

C:\WINDOWS\system32\winexz32.dll<---This file

C:\DOCUME~1\Admin\LOCALS~1\Temp\<---Clean out this folder do not delete the folder it's Self

 

Now Restart in Normal Mode show me a new HijackThis logfile and give me feedback

on how the PC is doing please.

 

 

Gogo ;)

Share this post


Link to post
Share on other sites

Hi again

 

 

Phew!

 

Logfile of HijackThis v1.99.1

Scan saved at 00:35:24, on 18/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\NETGEAR\WG111v2\WG111v2.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\Admin\Local Settings\Temp\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Thanks for all the help, Browser seems to be doing ok, I'll do some serious surfing tomorrow is I get the chance, ... I'll keep checking for those files you told me to delete and if I have any more problems I'll come back.

 

I really appreciate the help you have given me, and I apologize for being a pain in the A***. haha. I'm ready for a Pint and a mince pie...

 

Keep up the good work. Thanks again for the help and SEASONS BEST WISHES TO YOU ALL.

 

Alex (heres to hoping its all fixed)

Share this post


Link to post
Share on other sites

Hey,heavydutytwo

 

Glad to hear it now i have some last steps for you to take.

 

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

 

Next, let's clean your restore points and set a new one

 

 

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

 

1. Turn off System Restore.

* On the Desktop, right-click My Computer.

* Click Properties.

* Click the System Restore tab.

* CHECK Turn off System Restore.

* Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

* On the Desktop, right-click My Computer.

* Click Properties.

* Click the System Restore tab.

* UN-Check Turn off System Restore.

* Click Apply, and then click OK.

 

System Restore will now be active again.

 

 

Then create a new restore point once you have System Restore back on.

To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.

When the System Restore Utility opens, click "Create a Restore Point" then click Next.

Enter a name for this Restore Point, and click Create.

 

 

 

Clean out your Temporary Internet files.

Internet Explorer

Close Internet Explorer and close any instances of Windows Explorer.

Click Start -> Control Panel and then double-click Internet Options.

On the General tab, click Delete Files under Temporary Internet Files.

In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.

On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.

Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.

Click OK.

 

Firefox (In case you also have Firefox installed)

Open Firefox and go to Tools -> Options.

Click Privacy in the menu on the left side of the Options window.

Click the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to close the Options window.

Alternatively, you can clear all information stored while browsing by clicking Clear All.

A confirmation dialog box will be shown before clearing the information.

 

 

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.

2. Click once on the Security tab

3. Click once on the Internet icon so it becomes highlighted.

4. Click once on the Custom Level button.

a. Change the Download signed ActiveX controls to Prompt

b. Change the Download unsigned ActiveX controls to Disable

c . Change the Initialize and script ActiveX controls not marked as safe to Disable

d. Change the Installation of desktop items to Prompt

e. Change the Launching programs and files in an IFRAME to Prompt

f. Change the Navigate sub-frames across different domains to Prompt

g. When all these settings have been made, click on the OK button.

h. If it prompts you as to whether or not you want to save the settings, press the Yes button.

5. Next press the Apply button and then the OK to exit the Internet Properties page.

 

And please have a look at the great info by Mr,TK

So how did I get infected in the first place

 

 

Gogo ;)

Share this post


Link to post
Share on other sites
Sign in to follow this